ASP.NET error message
Description
ASP.NET applications may expose detailed error messages containing sensitive technical information when exceptions occur. This vulnerability was identified when a specially crafted request triggered an ASP.NET error page that revealed a complete stack trace and the Microsoft .NET Framework version. Such detailed error messages are typically intended for developers during debugging but should not be visible to external users in production environments.
Remediation
Configure ASP.NET to display generic error messages to remote users while logging detailed errors server-side for debugging purposes. Modify the application's web.config file to enable custom error pages:
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="~/Error.html">
<error statusCode="404" redirect="~/NotFound.html" />
<error statusCode="500" redirect="~/ServerError.html" />
</customErrors>
</system.web>
</configuration>Set
mode="RemoteOnly" to show detailed errors only on localhost, or use mode="On" to always display custom errors. Create user-friendly error pages that do not reveal technical details. Ensure detailed error information is logged to secure server-side logs accessible only to authorized personnel for troubleshooting purposes.