ASP.NET / IIS Security Vulnerability - No impact on Agile Platform

ASP.NET / IIS Security Vulnerability - No impact on Agile Platform

  
Hi everyone

Recently Microsoft released a Security Advisory reporting a security vulnerability in ASP.NET. This vulnerability exists in all versions.
More details can be found in the following links: This vulnerability makes it possible, in affected systems, to request and download protected files (such as web.config) and decrypt data from encrypted ViewState. The vulnerability exists because, in response to specific requests, ASP.NET will return custom error codes, which enable an attacker to gather information allowing them to obtain the remaining of the cypher.

The workaround for this particular problem is to set a default redirect for all custom errors in ASP.NET.

OutSystems Agile Platform already has the suggested workaround applied. By default, all eSpaces have the following content in web.config:

<customErrors mode="RemoteOnly" defaultRedirect="/customHandlers/internalerror.aspx">
   <error statusCode="404" redirect="/customHandlers/notfound.aspx"/>
  </customErrors>
<customErrors mode="RemoteOnly" defaultRedirect="/customHandlers/internalerror.aspx">
   <error statusCode="404" redirect="/customHandlers/notfound.aspx"/>
</customErrors>

This is valid for all currently supported versions (4.2, 5.0, 5.1) and even for some older versions (at least 4.1 and 4.0 have this code built-in). So unless you remove them explicitly (with FactoryConfiguration solution) your eSpaces in IIS should be well protected.

If you have any additional questions you would like to ask regarding this vulnerability and the Agile Platform, feel free to post them here.
Hi All

One final note on this subject.

If you enable the Remote Stack Display setting on your espace detail operation's settings you might get affected by this security vulnerability, before it will show the full error dump and content to users accessing the web pages remotely.

As long as you keep this setting unchecked (which is the default value on Agile Platform), it shouldn't be a problem.

Remote Stack Display setting

Cheers

Miguel Simões João