Overview
The customer might report the following as a Vulnerability:
- ASP.NET tracing is a debugging feature that is designed for use during development to help troubleshoot problems. It discloses sensitive information to users, and, if enabled in production contexts, it may present a serious security threat.
- Application-level tracing enables any user to retrieve full details about recent requests to the application, including those of other users. This information typically includes session tokens and request parameters, which may enable an attacker to compromise other users and even take control of the entire application.
- Page-level tracing returns the same information but relating only to the current request. This may still contain sensitive data in session and server variables that would be of use to an attacker.
This article provides a resolution for this vulnerability.
Environment
DNN
Requirements
Access to the host server/access to the superuser account.
Resolution
All requests in IIS are handled by modules. The OPTIONS
requests are handled by the ProtocolSupportModule
, which is not essential.
If we remove that module, the server does not respond to the OPTIONS
request anymore, which you still want to support. So we have to use another module to answer those.
- Open %SystemRoot%\System32\inetsrv\config\applicationHost.config
Search for
OPTIONSVerbHandler
comment that line and while you are at it, the one above (TRACEVerbHandler
) as well.- Now add a new node:
<add name="MyOPTIONSVerbHandler" path="*" verb="OPTIONS" modules="StaticFileModule" requireAccess="None" />
The whole block should look like this:
<!-- <add name="TRACEVerbHandler" path="*" verb="TRACE" modules="ProtocolSupportModule" requireAccess="None" />
<add name="OPTIONSVerbHandler" path="*" verb="OPTIONS" modules="ProtocolSupportModule" requireAccess="None" /> -->
<add name="MyOPTIONSVerbHandler" path="*" verb="OPTIONS" modules="StaticFileModule" requireAccess="None" />
Now the staticFileModule
will process the OPTIONS
requests but it will not return any content.
If you now make a OPTIONS
request to the server, you will not get an Allow
nor a Public
header. But you can add them easily in web.config
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Allow" value="GET,POST,HEAD" />
<add name="Public" value="GET,POST,HEAD" />
</customHeaders>
</httpProtocol>
</system.webServer>
Comments
0 comments
Please sign in to leave a comment.