Security patch for MSA 2416728

src/Orchard.Web/Web.config

@@ -87,7 +87,7 @@
             it enables developers to configure html error pages 
             to be displayed in place of a error stack trace.
     -->
-    <customErrors mode="Off"/>
+    <customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" defaultRedirect="~/Error.aspx"/>
     <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
       <namespaces>
         <add namespace="System.Web.Mvc"/>
@@ -100,6 +100,16 @@
       </namespaces>
     </pages>
     <httpHandlers>
+      <!-- Explicitly remove not necessary handlers -->
+      <remove path="eurl.axd" verb="*" />
+      <remove path="trace.axd" verb="*" />
+      <remove path="WebResource.axd" verb="*" />
+      <remove path="*_AppService.axd" verb="*" />
+      <remove path="ScriptResource.axd" verb="*" />
+      <remove path="*.rem" verb="*" />
+      <remove path="*.xoml" verb="*" />
+      <remove path="*.xamlx" verb="*" />
+      
       <add verb="*" path="*.mvc" validate="false" type="System.Web.Mvc.MvcHttpHandler, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
     </httpHandlers>
   </system.web>
@@ -113,6 +123,16 @@
     <modules runAllManagedModulesForAllRequests="true">
     </modules>
     <handlers>
+      <!-- Explicitly remove not necessary handlers -->
+      <remove path="eurl.axd" verb="*" />
+      <remove path="trace.axd" verb="*" />
+      <remove path="WebResource.axd" verb="*" />
+      <remove path="*_AppService.axd" verb="*" />
+      <remove path="ScriptResource.axd" verb="*" />
+      <remove path="*.rem" verb="*" />
+      <remove path="*.xoml" verb="*" />
+      <remove path="*.xamlx" verb="*" />
+
       <remove name="MvcHttpHandler"/>
       <remove name="UrlRoutingHandler"/>
       <add name="MvcHttpHandler" preCondition="integratedMode" verb="*" path="*.mvc" type="System.Web.Mvc.MvcHttpHandler, System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>