Moved from the MVC forum to the dedicated one about the vulnerability one by moderator XIII to keep people and the ASP.NET team at Microsoft focussed on one reporting area:
I'm trying to implement the workaround for the oracle padding exploit described on ScottGu's blog. Here's the workaround:
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/Home/ErrorPage" />
When I add that to my web.config, I'm not redirected to the error page when I try a bogus URL. I get the regular 404 error page. That's not what I expected. When I visit http://www.example.com/Home/ErrorPage, I can see it just fine.
I can't use the script on Scott's page to test my server since I deploy to Az
View Complete Post