Solved

PCI compliance ASP issue with paths

Posted on 2011-09-28
10
1,548 Views
Last Modified: 2012-08-13
We have a client that must meet PCI compliance standards each month.


They run a test that basically does a port scan on the Public IP address and give them back an possible exploits or vulnerabilities.


This one notice is alluding me.  I cannot seem to figure out where or how to fix it:


 ASP.NET Web Server Information Disclosure  
The web server running on this host is configured to display verbose error messages.
This could give an attacker information about the ASP.NET applications on the
server, as well as information about the host itself. For example, accessing the page
http://yoursite/thisfiledoesnotexist.aspx (or .ashx or .asmx) might return a page that
says "The resource cannot be found." However, if you view the source of the page,
hidden at the bottom of the document is quite a bit of debugging information that
includes the path of the web server.
CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (5)
Reference: http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx
Service: microsoft:iis
Evidence:
Virtual Host: 71.46.209.228
Received ASP error message: [FileNotFoundException]: Could not find file "c:\
inetpub\wwwroot\IFLCVATS.ashx". at System.IO.__Error.WinIOError(Int32
errorCode, String str) at System.IO.FileStream..ctor(String path, FileMode mode,
FileA
Received ASP error message: [FileNotFoundException]: c:\inetpub\wwwroot\
ENSGRKVP.aspx at System.Web.UI.TemplateParser.GetParserCacheItem() at
System.Web.UI.TemplateControlParser.CompileAndGetParserCacheItem(String
virtualPath, String inputFile
Received ASP error message: [FileNotFoundException]: Could not find file "c:\
inetpub\wwwroot\OWVEUHQR.asmx". at System.IO.__Error.WinIOError(Int32
errorCode, String str) at System.IO.FileStream..ctor(String path, FileMode mode


The solution given by the PCI scanner is as follows:


It is recommended that any sort of debugging information be disabled for
production systems. Displaying custom error messages prevents the
debugging information from being provided to users. In web.config, set
the customErrors mode to "On" or "RemoteOnly" (displays debugging
information to browsers accessing the site from the local host). See the
MSDN link below for detailed information on the customErrors tag http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx
 


Anyone have an ideas how to fix this?
0
Comment
Question by:Orlando_Tech
10 Comments
 
LVL 28

Expert Comment

by:strickdd
ID: 36717719
In your web.config, make sure you have <compilation debug="false"/> instead of "true".
0
 

Author Comment

by:Orlando_Tech
ID: 36717756
my issue so far is that I don't have a web.config under the c:\inetpub\wwwroot folder.

Can I just make one?

I searched the HDD and found about 15 different web.configs in different folders.  Is there a certain one I should change?
0
 
LVL 28

Expert Comment

by:strickdd
ID: 36717838
Change the machine.config and web.config in the ASP.Net folders and then add one to your wwwroot folder. You should also scan all web.config's that are added to your server to ensure that a developer doesn't include this tag by accident in production.
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 36718031
As it states. You need to change your custom errors to not report to external users. You are disclosing site and folder structure.

eg

<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="RemoteOnly"/>
    </system.web>
</configuration>

Add <error> tags for each of the errors you want to handle.

"On" Always display custom (friendly) messages.
"Off" Always display detailed ASP.NET error information.
"RemoteOnly" Display custom (friendly) messages only to users not running on the local Web server.

This setting is recommended for security purposes, so that you do not display application detail information to remote clients.

Cheers,
Hades666
0
 

Author Comment

by:Orlando_Tech
ID: 36718543
My question is now, can I place a new file under c:\inetpub\wwwroot called web.config with just the above information in it?

I made this file in that location, I stopped and started IIS, however, we still fail PCI Scan.

However, I manually tested what the system is complaining about and it returned the same error back to me after changes you suggested?
 
[FileNotFoundException]: Could not find file &quot;c:\inetpub\wwwroot\IFLCVATS.ashx&quot;.

 
From what I gather, the issue here is that if you go to http://yoursitename.com\boguspage.aspx,  view source, the debug information contains the path c:\inetpub\wwwroot in it....
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 28

Accepted Solution

by:
strickdd earned 500 total points
ID: 36718690
0
 

Author Comment

by:Orlando_Tech
ID: 36718832
Still nothing...

I have this as my web.config under the wwwroot:

<!-- Web.Config Configuration File -->

<configuration>
 <system.web>
   <customErrors defaultRedirect="userError.aspx" mode="RemoteOnly">
  <error statusCode="404" redirect="pagenotfound.aspx" />
 </customErrors>
 </system.web>
</configuration>


to recreate the problem I can go to this website:  http://mail.cporlando.com/IFLCVATS.ashx
If I do view source it still shows the path in the error codes.

[FileNotFoundException]: Could not find file &quot;c:\inetpub\wwwroot\IFLCVATS.ashx&quot;.
   at System.IO.__Error.WinIOError(Int32 errorCode, String str)
0
 
LVL 11

Expert Comment

by:G_H
ID: 36817579
Have you created "pagenotfound.aspx"?

The basic idea here is to display something other than the IIS default error page, as that gives the details away.

GH
0
 

Assisted Solution

by:Orlando_Tech
Orlando_Tech earned 0 total points
ID: 36918958
This fixed it:    http://myhosting.com/kb/PCI_Compliance
ASP.NET Web Server Information Disclosure

The most common issue incurred is that detailed errors are visible to the web for asp.net applications by default.

Unless you or your clients developer needs to see these error details for development reasons, you can enable custom error pages to over-ride that setting. This is done using a web.config file in the root of your site space. A quick example of one such web.config file is provided below. Placing the following content into a text file, renaming it web.config and posting this to your site space will do the trick and will redirect any asp.net error pages to your root index.html file.

<configuration>
   <system.web>
      <customErrors defaultRedirect="index.html" mode="On">
      </customErrors>
   </system.web>
</configuration>
0
 

Author Closing Comment

by:Orlando_Tech
ID: 36941248
Was able to get on the right path with strickDD link.  After that was just a matter for finding the correct syntax of the ASP.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now