AppScan issues: Physical path disclosure and hidden directory detection
When a user runs Taskmaster Web (tmWeb .Net) from the same machine it is installed on, in case of error 403 or error 404, the complete error page path or hidden directories are displayed .
Symptoms
Example: Consider that Taskmaster Web (tmWeb.Net) is installed on machine 1. It has a
web.config file, which contains “mode” attribute in
<customErrors> tag. This property can have three values:
- off
- on
- remoteonly
If the mode property is set to remoteonly:
- The remote user A will see the a user-defined error message, without any physical path disclosure.
- However, the user B will be redirected to a technical error page that displays the complete physical path.
If the mode property is set to on:
- In this case, both users A and B will be re-directed to an error page that shows a user-defined error message, without any physical path disclosure.
If the mode property is set to off:
- In this case, both users A and B will be redirected to the default technical error page of ASP.NET, with physical path disclosure.
Resolving the problem
User response:
Important: In order to avoid displaying the technical error page with physical path and
hidden directories, as a best practice it is recommended that no user should run Taskmaster Web
(tmWeb Net) on the same machine where it is installed.
To fix this issue, complete the following steps:
- On the machine where Taskmaster Web (tmWeb .Net) is installed, open the web.config file, located in the directory C:\Datacap\tmweb.net.
- To fix Error Page Path Disclosure:
- Under the <system.webServer> node, add the code-snippet highlighted below:
<system.webServer> .... ..... <httpErrors errorMode="Custom"> <remove statusCode="404" /> <error statusCode="404" path="/error.aspx" responseMode="ExecuteURL" /> </httpErrors> </system.webServer>
- Under the <system.web> node, add the code-snippet highlighted
below:
<system.web> .... ..... <customErrors mode="On" defaultRedirect="~/error.aspx"/> </system.web>
- Under the <system.webServer> node, add the code-snippet highlighted below:
- To fix Hidden Directory Detection:
- Under the <system.webServer> node, add the code-snippet highlighted
below:
<system.webServer> <httpErrors errorMode="Custom"> <error statusCode="403" subStatusCode="14" path="/error.aspx" responseMode="ExecuteURL" /> </httpErrors> </system.webServer>
- Under the <system.webServer> node, add the code-snippet highlighted
below:
- After updating the web.config file, it is recommended to restart the Internet Information Server (IIS) web server.