by bryian
27. February 2011 19:34
Several weeks ago one of my legacy web applications written in Classic ASP underwent a security scan/evaluation. The report indicated that the application contains server error response vulnerability. I had already configured the IIS to redirect the HTTP 500 - Internal Server Error to the custom error page. The users are seeing the custom error page instead of error details. So, what are we missing here? We start to debug the application by using Fiddler and found out that the application was returning status code 500 instead of 200.
Figure 1:
The report indicates that this exposure will allow the attacker to distinguish between valid and invalid request attempts. After spending some time researching for the solution, I found this article "How Web site administrators can troubleshoot an "HTTP 500 - Internal Server Error" error message on IIS 4.0 or on IIS 5.0"". The solution is to add the following line on top of the custom error page.
Listing 1:
Response.Clear()
Response.Status ="200 OK"
The first line will erases any buffered HTML output and ensure that the page is displaying a clean error page. The second line specifies the value of the status line returned by the server. Load the page that throw HTTP 500 - Internal Server Error again, and we should see the result similar to figure 2.
Figure 2:
If your website is being audited and come across this sort of situation, this could be one of the solutions. Hope someone will find this information useful.
References:
http://support.microsoft.com/kb/311766
by bryian
18. January 2011 17:58
One of my web applications went through some sort of security scan and come back with "Server error response vulnerabilities". I checked the web.config file and confirm that the following line exists.
Listing 1
<customErrors mode="On" defaultRedirect="~/error.aspx">
When I navigate to "http://localhost/pagenotfound.aspx", I see the custom error page as expected. But when I navigate to "http://localhost/pagenotfound.haha", I see the following response headers through Fiddler.
Listing 2
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.1
Date: Tue, 18 Jan 2011 03:42:36 GMT
Connection: close
Content-Type: text/html
Content-Length: 108
According to the scan report, it is a best practice not to reveal the exact error message or hint to the attacker but display a generic error message page. Here are the steps to implement it. If you have IIS 6.0,
1. Right click the website, select Properties
2. Click on the Custom Errors tab
3. Scroll down the list and look for the HTTP Error 404, see figure 1
4. Double click the HTTP Error 404 and you should see a popup window like the one in figure 2.
5. Select URL from the Message Type, and type in the URL to the generic error message page.
Figure 1
Figure 2
Now, navigate to "http://localhost/pagenotfound.haha" and you should see the custom error page instead of page not found error.
If you have IIS 7/7.5
1. Click on the Error Pages under IIS section, see figure 3
2. Click on the Edit Feature Settings…
3. You should see the windows similar to figure 4
Figure 3
Figure 4
If you don't have access to IIS or your web application is hosted on a hosting company, contact them and request to enable Remote IIS Manager for your domain.
To download and install the IIS 7.0 Manager, use one of the following links:
For X86 processor systems: http://iis.net/downloads/default.aspx?tabid=34&g=6&i=1626
For X64 processor systems: http://iis.net/downloads/default.aspx?tabid=34&g=6&i=1633
Once you have it installed, click on File and then Connect to a Site… You should see a window similar to figure 5. Insert the server name or URL (yourdomain.com) and give your site a name (my new domain).
Figure 5
by bryian
29. September 2010 17:41
A couple days ago, one of the web applications threw the following error while generating a report. After some research, I found out that the Crystal Report Application Server Service is not running. Apparently the application server was restarted and the startup type was set to "Manual". To remedy this problem:
1) Go to Start, Control Panel, Administrative Tools, Services
2) Right-click the "Crystal Report Application Server" Service
3) Change the startup type to "Automatic"
4) Click on the Start button and hit OK to close the dialog box.
By the way, I'm using Crystal Report v10.
Failed to connect to server "xyzserver". Error returned from Windows Sockets
API : 0.clientdoc.dll COMMON GENERATE ERROR!:
Could not open the report file (abc.rpt); The report path is c:\myreport\abc.rpt
by bryian
14. September 2010 04:43
I was trying to use a DQL statement to create a folder and set its ACL attribute. The following is the query.
Create dm_folder OBJECT SET object_name='testFolder' SET acl_name='MyACL' LINK '/MyFolder'
And I keep getting the error shown below.
Error occurred during query execution :[DM_QUERY_F_UP_SAVE] fatal: "UPDATE: An error has occurred during a save operation."
After spending some time researching for it, I found out that the 'MyACL' name need to exist in the Permission Sets before I can execute the above query. So, the next time you run into this error message while trying to update the acl_name, make sure the ACL name already in the Permission Sets (ACL).
Subscribe