We recently released a Microsoft Security Advisory about a security vulnerability in ASP.NET. This post explains the impact on SharePoint and documents a recommended workaround.
This vulnerability affects Microsoft SharePoint 2010 and Microsoft SharePoint Foundation 2010. The vulnerability is in ASP.NET.
We recommend that all SharePoint 2010 customers apply the workaround as soon as possible. This post will be updated with any new information.
The workaround for SharePoint 2010 is slightly different from the one documented in the advisory. For SharePoint 2010, you should follow the instructions below on every web front-end in your SharePoint farm:
- Browse to the SharePoint installation directory at %CommonProgramFiles%\Microsoft Shared\Web Server Extensions\14\template\layouts.
- Create a new file called error2.aspx in this directory with the following content:
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<%@ Import Namespace="System.Threading" %>
<script runat="server">
void Page_Load() {
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null) { disposable.Dispose(); }
}
</script>
<html>
<head runat="server">
<title>Error</title>
</head>
<body>
<div>
An error occurred while processing your request.
</div>
</body>
</html> - Navigate to %SystemDrive%\inetpub\wwwroot\wss\virtualdirectories.
- For each subfolder in this directory, do the following:
- Edit web.config
- Find the customErrors node and change it to;
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/_layouts/error2.aspx" />
- Save your changes
- Run iisreset /noforce
For more information:
