Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PCI compliance ASP issue with paths

Posted on 2011-09-28
10
Medium Priority
?
1,623 Views
Last Modified: 2012-08-13
We have a client that must meet PCI compliance standards each month.


They run a test that basically does a port scan on the Public IP address and give them back an possible exploits or vulnerabilities.


This one notice is alluding me.  I cannot seem to figure out where or how to fix it:


 ASP.NET Web Server Information Disclosure  
The web server running on this host is configured to display verbose error messages.
This could give an attacker information about the ASP.NET applications on the
server, as well as information about the host itself. For example, accessing the page
http://yoursite/thisfiledoesnotexist.aspx (or .ashx or .asmx) might return a page that
says "The resource cannot be found." However, if you view the source of the page,
hidden at the bottom of the document is quite a bit of debugging information that
includes the path of the web server.
CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (5)
Reference: http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx
Service: microsoft:iis
Evidence:
Virtual Host: 71.46.209.228
Received ASP error message: [FileNotFoundException]: Could not find file "c:\
inetpub\wwwroot\IFLCVATS.ashx". at System.IO.__Error.WinIOError(Int32
errorCode, String str) at System.IO.FileStream..ctor(String path, FileMode mode,
FileA
Received ASP error message: [FileNotFoundException]: c:\inetpub\wwwroot\
ENSGRKVP.aspx at System.Web.UI.TemplateParser.GetParserCacheItem() at
System.Web.UI.TemplateControlParser.CompileAndGetParserCacheItem(String
virtualPath, String inputFile
Received ASP error message: [FileNotFoundException]: Could not find file "c:\
inetpub\wwwroot\OWVEUHQR.asmx". at System.IO.__Error.WinIOError(Int32
errorCode, String str) at System.IO.FileStream..ctor(String path, FileMode mode


The solution given by the PCI scanner is as follows:


It is recommended that any sort of debugging information be disabled for
production systems. Displaying custom error messages prevents the
debugging information from being provided to users. In web.config, set
the customErrors mode to "On" or "RemoteOnly" (displays debugging
information to browsers accessing the site from the local host). See the
MSDN link below for detailed information on the customErrors tag http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx
 


Anyone have an ideas how to fix this?
0
Comment
Question by:Orlando_Tech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 28

Expert Comment

by:strickdd
ID: 36717719
In your web.config, make sure you have <compilation debug="false"/> instead of "true".
0
 

Author Comment

by:Orlando_Tech
ID: 36717756
my issue so far is that I don't have a web.config under the c:\inetpub\wwwroot folder.

Can I just make one?

I searched the HDD and found about 15 different web.configs in different folders.  Is there a certain one I should change?
0
 
LVL 28

Expert Comment

by:strickdd
ID: 36717838
Change the machine.config and web.config in the ASP.Net folders and then add one to your wwwroot folder. You should also scan all web.config's that are added to your server to ensure that a developer doesn't include this tag by accident in production.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 30

Expert Comment

by:Brad Howe
ID: 36718031
As it states. You need to change your custom errors to not report to external users. You are disclosing site and folder structure.

eg

<!-- Web.Config Configuration File -->

<configuration>
    <system.web>
        <customErrors mode="RemoteOnly"/>
    </system.web>
</configuration>

Add <error> tags for each of the errors you want to handle.

"On" Always display custom (friendly) messages.
"Off" Always display detailed ASP.NET error information.
"RemoteOnly" Display custom (friendly) messages only to users not running on the local Web server.

This setting is recommended for security purposes, so that you do not display application detail information to remote clients.

Cheers,
Hades666
0
 

Author Comment

by:Orlando_Tech
ID: 36718543
My question is now, can I place a new file under c:\inetpub\wwwroot called web.config with just the above information in it?

I made this file in that location, I stopped and started IIS, however, we still fail PCI Scan.

However, I manually tested what the system is complaining about and it returned the same error back to me after changes you suggested?
 
[FileNotFoundException]: Could not find file &quot;c:\inetpub\wwwroot\IFLCVATS.ashx&quot;.

 
From what I gather, the issue here is that if you go to http://yoursitename.com\boguspage.aspx,  view source, the debug information contains the path c:\inetpub\wwwroot in it....
0
 
LVL 28

Accepted Solution

by:
strickdd earned 2000 total points
ID: 36718690
0
 

Author Comment

by:Orlando_Tech
ID: 36718832
Still nothing...

I have this as my web.config under the wwwroot:

<!-- Web.Config Configuration File -->

<configuration>
 <system.web>
   <customErrors defaultRedirect="userError.aspx" mode="RemoteOnly">
  <error statusCode="404" redirect="pagenotfound.aspx" />
 </customErrors>
 </system.web>
</configuration>


to recreate the problem I can go to this website:  http://mail.cporlando.com/IFLCVATS.ashx
If I do view source it still shows the path in the error codes.

[FileNotFoundException]: Could not find file &quot;c:\inetpub\wwwroot\IFLCVATS.ashx&quot;.
   at System.IO.__Error.WinIOError(Int32 errorCode, String str)
0
 
LVL 11

Expert Comment

by:G_H
ID: 36817579
Have you created "pagenotfound.aspx"?

The basic idea here is to display something other than the IIS default error page, as that gives the details away.

GH
0
 

Assisted Solution

by:Orlando_Tech
Orlando_Tech earned 0 total points
ID: 36918958
This fixed it:    http://myhosting.com/kb/PCI_Compliance
ASP.NET Web Server Information Disclosure

The most common issue incurred is that detailed errors are visible to the web for asp.net applications by default.

Unless you or your clients developer needs to see these error details for development reasons, you can enable custom error pages to over-ride that setting. This is done using a web.config file in the root of your site space. A quick example of one such web.config file is provided below. Placing the following content into a text file, renaming it web.config and posting this to your site space will do the trick and will redirect any asp.net error pages to your root index.html file.

<configuration>
   <system.web>
      <customErrors defaultRedirect="index.html" mode="On">
      </customErrors>
   </system.web>
</configuration>
0
 

Author Closing Comment

by:Orlando_Tech
ID: 36941248
Was able to get on the right path with strickDD link.  After that was just a matter for finding the correct syntax of the ASP.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question