I am applying the suggested fixes, but the fix sends all errors to the same page that does not display the cause of the error. That is the purpose of the fix because the data around that information is the problem.

I updated our sites over the weekend and didn't have any problems. We haven't tested the work around with vanity URLs and a custom 404.aspx page with IIS 6. I'm guessing that it will probably cause the vanity urls to fail. We are using vanity urls with the wildcard mapping and it is still working fine. However, given the severity of this vulnerability I would suggest applying the workaround ASAP and worry about vanity urls later. You may need to temporarily disable vanity urls, but that would be much better than having to deal with a compromised site.

I agree. I just wanted to be sure that there was not a work around for the vanity URLs.

It seems like that hackers are indeed exploiting the security leak. Check out this MS blog post: http://blogs.technet.com/b/msrc/arc...16728.aspx

I guess we'd better keep everyone informed and advise site owners to apply the web.config changes!!

Dotnetnuke 05.05.01 has been released. It includes the ASP.Net POET Vulnerability /Oracle Padding fix.