Article ID: 834452 - View products that this article applies to.
Custom error pages are designed to display detailed error information that helps administrators and developers to troubleshoot and to solve Active Server Pages (ASP) coding issues. However, this detailed error information can provide the name of the ASP script that caused the error, a relative path to the script's location, and information about the line in the script that caused the error. This information could be used maliciously.
The following is an example of such an error:
The Custom Error Pages feature relies on 500-100.asp. The default 500-100.asp file showcases some of the error reporting abilities that are available with custom error pages. Administrators and developers use this information to troubleshoot custom ASP applications. However, some of the information that is made available in 500-100.asp could be used maliciously.
On production Web sites that use the Custom Error Pages feature, Microsoft recommends that developers create their own custom error pages to provide customer-friendly information, such as support numbers and e-mail addresses, to permit customers to inform the system administrators of problems that they experience on the Web site.
The following is an example of a secure custom error page:
For more information about using custom error pages in IIS, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/311766/ )How Web site administrators can troubleshoot an "HTTP 500 - Internal Server Error" error message on IIS 4.0 or on IIS 5.0
814869For more information about creating custom ASP error pages for use in development environments, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/814869/ )Custom error messages in IIS 6.0
(http://support.microsoft.com/kb/224070/ )Creating custom ASP error pages