PCI compliance ASP issue with paths

Posted on 2011-09-28
Last Modified: 2012-08-13
We have a client that must meet PCI compliance standards each month.

They run a test that basically does a port scan on the Public IP address and give them back an possible exploits or vulnerabilities.

This one notice is alluding me.  I cannot seem to figure out where or how to fix it:

 ASP.NET Web Server Information Disclosure  
The web server running on this host is configured to display verbose error messages.
This could give an attacker information about the ASP.NET applications on the
server, as well as information about the host itself. For example, accessing the page
http://yoursite/thisfiledoesnotexist.aspx (or .ashx or .asmx) might return a page that
says "The resource cannot be found." However, if you view the source of the page,
hidden at the bottom of the document is quite a bit of debugging information that
includes the path of the web server.
CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (5)
Service: microsoft:iis
Virtual Host:
Received ASP error message: [FileNotFoundException]: Could not find file "c:\
inetpub\wwwroot\IFLCVATS.ashx". at System.IO.__Error.WinIOError(Int32
errorCode, String str) at System.IO.FileStream..ctor(String path, FileMode mode,
Received ASP error message: [FileNotFoundException]: c:\inetpub\wwwroot\
ENSGRKVP.aspx at System.Web.UI.TemplateParser.GetParserCacheItem() at
virtualPath, String inputFile
Received ASP error message: [FileNotFoundException]: Could not find file "c:\
inetpub\wwwroot\OWVEUHQR.asmx". at System.IO.__Error.WinIOError(Int32
errorCode, String str) at System.IO.FileStream..ctor(String path, FileMode mode

The solution given by the PCI scanner is as follows:

It is recommended that any sort of debugging information be disabled for
production systems. Displaying custom error messages prevents the
debugging information from being provided to users. In web.config, set
the customErrors mode to "On" or "RemoteOnly" (displays debugging
information to browsers accessing the site from the local host). See the
MSDN link below for detailed information on the customErrors tag

Anyone have an ideas how to fix this?
Question by:Orlando_Tech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 28

Expert Comment

ID: 36717719
In your web.config, make sure you have <compilation debug="false"/> instead of "true".

Author Comment

ID: 36717756
my issue so far is that I don't have a web.config under the c:\inetpub\wwwroot folder.

Can I just make one?

I searched the HDD and found about 15 different web.configs in different folders.  Is there a certain one I should change?
LVL 28

Expert Comment

ID: 36717838
Change the machine.config and web.config in the ASP.Net folders and then add one to your wwwroot folder. You should also scan all web.config's that are added to your server to ensure that a developer doesn't include this tag by accident in production.
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

LVL 30

Expert Comment

by:Brad Howe
ID: 36718031
As it states. You need to change your custom errors to not report to external users. You are disclosing site and folder structure.


<!-- Web.Config Configuration File -->

        <customErrors mode="RemoteOnly"/>

Add <error> tags for each of the errors you want to handle.

"On" Always display custom (friendly) messages.
"Off" Always display detailed ASP.NET error information.
"RemoteOnly" Display custom (friendly) messages only to users not running on the local Web server.

This setting is recommended for security purposes, so that you do not display application detail information to remote clients.


Author Comment

ID: 36718543
My question is now, can I place a new file under c:\inetpub\wwwroot called web.config with just the above information in it?

I made this file in that location, I stopped and started IIS, however, we still fail PCI Scan.

However, I manually tested what the system is complaining about and it returned the same error back to me after changes you suggested?
[FileNotFoundException]: Could not find file &quot;c:\inetpub\wwwroot\IFLCVATS.ashx&quot;.

From what I gather, the issue here is that if you go to\boguspage.aspx,  view source, the debug information contains the path c:\inetpub\wwwroot in it....
LVL 28

Accepted Solution

strickdd earned 500 total points
ID: 36718690

Author Comment

ID: 36718832
Still nothing...

I have this as my web.config under the wwwroot:

<!-- Web.Config Configuration File -->

   <customErrors defaultRedirect="userError.aspx" mode="RemoteOnly">
  <error statusCode="404" redirect="pagenotfound.aspx" />

to recreate the problem I can go to this website:
If I do view source it still shows the path in the error codes.

[FileNotFoundException]: Could not find file &quot;c:\inetpub\wwwroot\IFLCVATS.ashx&quot;.
   at System.IO.__Error.WinIOError(Int32 errorCode, String str)
LVL 11

Expert Comment

ID: 36817579
Have you created "pagenotfound.aspx"?

The basic idea here is to display something other than the IIS default error page, as that gives the details away.


Assisted Solution

Orlando_Tech earned 0 total points
ID: 36918958
This fixed it:
ASP.NET Web Server Information Disclosure

The most common issue incurred is that detailed errors are visible to the web for applications by default.

Unless you or your clients developer needs to see these error details for development reasons, you can enable custom error pages to over-ride that setting. This is done using a web.config file in the root of your site space. A quick example of one such web.config file is provided below. Placing the following content into a text file, renaming it web.config and posting this to your site space will do the trick and will redirect any error pages to your root index.html file.

      <customErrors defaultRedirect="index.html" mode="On">

Author Closing Comment

ID: 36941248
Was able to get on the right path with strickDD link.  After that was just a matter for finding the correct syntax of the ASP.

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
disadvantage of code behind appoarch in 3 49
Help to debug powershell script 5 58
ASP Error Handler 5 35
Domain hosting question about hiding URL 9 56
IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question