logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
judy at Web2Market  
#1 Posted : Monday, August 19, 2024 11:05:48 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
We have had two sites report this now.
Add //z--><qss> to the url on a site and it throws a runtime error
Server Error in '/' Application.
Runtime Error
Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated.
(This is with CustomErrors On)

With CustomErrors off, it is
Server Error in '/' Application.
A potentially dangerous Request.Path value was detected from the client (>).
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (>).

Source Error:

This is causing PCI compliance to fail. I know it is a default IIS message, but scans are saying it discloses too much info. I had researched it the first time it came up and couldn't find where I could change the error message in IIS.
The only thing I could think of was to change the customerror pages to plain .html and see if that helps.
Any ideas? You will probably be seeing more sites report this.

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Katie S  
#2 Posted : Monday, August 19, 2024 12:25:46 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Which versions are these sites running?

We made a change in the web.config for PCI compliance in 9.0.10.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
judy at Web2Market  
#3 Posted : Tuesday, August 20, 2024 7:17:36 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
Sites are Gold, but I tested it on an AC9 older than 9.10
Here is the first report I had seen of it, then it started happening on our sites:
https://www.ablecommerce...ling-PCI-Compliance-Test
What change in the web.config prevents this? I don't have a 9.10 site to test on.
I see three changes and if I remember correctly, I think you had to remove the nosniff? I don't think any of these changes would have fixed the issue?
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN"/>
<add name="Strict-Transport-Security" value="max-age=31536000;includeSubDomains;preload" />
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
judy at Web2Market  
#4 Posted : Tuesday, August 20, 2024 8:38:27 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
On one site, I made a change to the global.asax to get around this particular error handling.
I changed
if (((HttpException)exception).Message.StartsWith("A potentially dangerous"))
return;

to
if (((HttpException)exception).Message.StartsWith("A potentially dangerous"))
Response.Redirect([enter site home page url]);
Users browsing this topic
Guest (3)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.