MVC3 on IIS Express (classic mode) or IIS 6 returns 404 with file extensions (cgi, etc)

I am attempting to recreate a test done by HP's WebInspect to verify a possible attack vector. In this case it tacks CrazyW开发者_如何学CWWBoard.cgi to the end of any url. In my application, when I attempt this I get the IIS 404 page and not my custom error page. Further, in the IIS Express 404, I can tell the handler is referenced as StaticFile. No controller or even routing code (I tested this by placing a empty routeconstraint on each route whose match method immediately returns true and just set a breakpoint there.) is hit. The Web.Config is basically what comes from MVC3 (except some appsettings which should have no bearing on this). I tested this without the extension (cgi) and the code behaves as expected. I am using .NET 4 extensionless urls for the rest of the application and normal behaviour works. When I use cgi, it gives IIS's 404. Do I need to replace the StaticFileHandler via the web.config?

UPDATE: In doing some further testing, the .NET components starting at Application_BeginRequest are NEVER hit. Based on my experience, this means the error pages defined in the web.config are never called. I also went back and added a .aspx extension to my controller names (i.e. http:\localhost\myapp\controller.aspx\action\test.cgi) and the url then feeds into the .NET components even with the "cgi" extension. Is this a limitation on the ASP.NET 4/MVC/IIS6 extensionless url scenario? If so is there any workarounds? I would prefer to stay extensionless but if worse comes to worst I'll return to the .aspx in my controllers. Understand that I do NOT have control over server-side setup.

Add this to the RegisterRoutes section of Global.asax.cs

routes.IgnoreRoute("{resource}.axd/{*pathInfo}"); // This one is here by default
routes.IgnoreRoute("{resource}.cgi/{*pathInfo}"); // This is your new one
// Other routes go AFTER these two as before.

And make sure you have customErrors switched on in your web.config too, which I'm sure you've already done.

I just tried it and it works (i.e. appending anything with .cgi sent me to my standard error page, without changing anything on the web server itself).

As an aside, please don't change your URLs to include .aspx on the end as that would be against the spirit of MVC! And also an attacker could merely omit the .aspx and still get the 404 page unless you implement my tiny fix.

EDIT: What happens if you put this into your <httpHandlers> section of the web.config?

<add verb="*" path="*.cgi" type="System.Web.Mvc.MvcHttpHandler, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />

I experienced the same thing as you are experiencing now, and this article got me where I needed to be... from haacked.com

http://haacked.com/archive/2008/11/26/asp.net-mvc-on-iis-6-walkthrough.aspx