Article # 10172 Date:

Important: ASP.NET Security Vulnerability Notice

Project Insight was recently alerted of the following potential security threat:

http://www.microsoft.com/technet/security/advisory/2416728.mspx


Specific steps to mitigate the threat are included below.

We are informing installed customers that we have followed the advice of Scott Guthrie from the following article as opposed to awaiting an official resolution from Microsoft which was not available at the time of sending this email.

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

 

Scott Guthrie's credentials are found on the following Microsoft page:

http://www.microsoft.com/presspass/exec/guthrie/

 

This advisory notice is being sent for information purposes only. It is not intended to supersede any corporate procedures for Project Insight customers' standard practices.

 
Please forward this notice to your IT director, or feel free to contact us if you have any questions.

Steps to mitigate the threat:

1. Edit the file, 404.aspx, located <Project Insight Intalled Root>\Site\Errors\404.aspx.

     a. Make the following change : insert this line at the top of the file.

         <!--ERRORPAGE-->

     b. Optionally, add the following explanation.

        <p><b>OR A system error has occurred, and has been logged to the server. </b></p>
 
       This line of goes below the section that reads:

        <p>The page you were trying to reference is no longer available.  Click the "Ok" button
        below to go to the homepage.
           </p>

     This changes ensures that AJAX call backs work correctly when an error occurs.

2. Edit the main site Web.Config file, located in the root directory of the project insight installation.

Change this section from:

<customErrors mode="RemoteOnly">
   <error statusCode="500" redirect="~/Site/Errors/500.aspx"/>
   <!-- Programming issue -->
   <error statusCode="404" redirect="~/Site/Errors/404.aspx"/>
   <!-- File not found -->
   <error statusCode="403" redirect="~/Site/Errors/PermissionError.aspx"/>
   <!-- No Access Error -->
</customErrors>

To this:

<customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" defaultRedirect="~/Site/Errors/404.aspx">
      <error statusCode="500" redirect="~/Site/Errors/404.aspx" />
      <!-- Programming issue -->
      <error statusCode="404" redirect="~/Site/Errors/404.aspx" />
      <!-- File not found -->
      <error statusCode="403" redirect="~/Site/Errors/404.aspx" />
      <!-- No Access Error -->
</customErrors>

3. Edit the Web.config file in the <Project Insight Intalled Root>\M\web.config

 Change this section from:

<customErrors mode="Off">
   <error statusCode="500" redirect="~/M/Errors/500.aspx" />
   <!-- Programming issue -->
   <error statusCode="404" redirect="~/M/Errors/404.aspx" />
   <!-- File not found -->
   <error statusCode="403" redirect="~/M/Errors/PermissionError.aspx" />
   <!-- No Access Error -->
</customErrors>

 To this:
<customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" defaultRedirect="~/M/Errors/404.aspx">
   <error statusCode="500" redirect="~/M/Errors/404.aspx" />
   <!-- Programming issue -->
   <error statusCode="404" redirect="~/M/Errors/404.aspx" />
   <!-- File not found -->
   <error statusCode="403" redirect="~/M/Errors/404.aspx" />
   <!-- No Access Error -->
</customErrors>

 

 

Categories: