AppScan issues: Physical path disclosure and hidden directory detection

Edit online

When a user runs Taskmaster Web (tmWeb .Net) from the same machine it is installed on, in case of error 403 or error 404, the complete error page path or hidden directories are displayed .

Symptoms

Example: Consider that Taskmaster Web (tmWeb.Net) is installed on machine 1. It has a web.config file, which contains “mode” attribute in <customErrors> tag. This property can have three values:
  • off
  • on
  • remoteonly
Now consider that user A is accessing Taskmaster Web from a remote machine, and user B is accessing the Taskmaster Web from same machine on which it is hosted, that is, machine 1. While navigating the Taskmaster Web, a page experiences error 403 or error 404.
If the mode property is set to remoteonly:
  • The remote user A will see the a user-defined error message, without any physical path disclosure.
  • However, the user B will be redirected to a technical error page that displays the complete physical path.
If the mode property is set to on:
  • In this case, both users A and B will be re-directed to an error page that shows a user-defined error message, without any physical path disclosure.
If the mode property is set to off:
  • In this case, both users A and B will be redirected to the default technical error page of ASP.NET, with physical path disclosure.

Resolving the problem

User response:
Important: In order to avoid displaying the technical error page with physical path and hidden directories, as a best practice it is recommended that no user should run Taskmaster Web (tmWeb Net) on the same machine where it is installed.
To fix this issue, complete the following steps:
  1. On the machine where Taskmaster Web (tmWeb .Net) is installed, open the web.config file, located in the directory C:\Datacap\tmweb.net.
  2. To fix Error Page Path Disclosure:
    1. Under the <system.webServer> node, add the code-snippet highlighted below: 
      <system.webServer>
....
.....
   <httpErrors errorMode="Custom">       
      <remove statusCode="404" />
      <error statusCode="404" path="/error.aspx" responseMode="ExecuteURL" />
    </httpErrors>
  </system.webServer>
    2. Under the <system.web> node, add the code-snippet highlighted below:
      <system.web>
....
.....
    <customErrors mode="On" defaultRedirect="~/error.aspx"/>
</system.web>
  3. To fix Hidden Directory Detection:
    1. Under the <system.webServer> node, add the code-snippet highlighted below:
      <system.webServer>
    <httpErrors errorMode="Custom">  
      <error statusCode="403" subStatusCode="14" path="/error.aspx" responseMode="ExecuteURL" />     
    </httpErrors>
</system.webServer>
  4. After updating the web.config file, it is recommended to restart the Internet Information Server (IIS) web server.