RedirectMode in ASP.NET Security Vulnerability

Question

In a Scott Guthries blog post about ASP.NET security vulnerability noted here , he says that for ASP.NET 3.5 SP1 + there should be the following attribute in the user error section

redirectMode="ResponseRewrite"

What is the significance of this in relation to vulnerability and why only 3.5 SP1 and higher?

+3

Ajm 20 sept '10 at 14:31

2 answers

3.5 SP1 ? .

. (ResponseRedirect) . ResponseRewrite - Uri. , , .

MSDN ...

0

Dan Puzey 20 . '10 14:59

Aristos · Accepted Answer · 2010-09-20T15:00:20+0000

ResponseRedirect provides the attacker with information about the time it takes to get the redirect header.

ResponseRewrite did not return the redirect header, so the attacker did not know this time.

, , , error.aspx . ResponceRewrite, .

3.5 SP1 , .s