Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 305
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
We have had two sites report this now.
Add //z--><qss> to the url on a site and it throws a runtime error
Server Error in '/' Application.
Runtime Error
Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated.
(This is with CustomErrors On)
With CustomErrors off, it is
Server Error in '/' Application.
A potentially dangerous Request.Path value was detected from the client (>).
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (>).
Source Error:
This is causing PCI compliance to fail. I know it is a default IIS message, but scans are saying it discloses too much info. I had researched it the first time it came up and couldn't find where I could change the error message in IIS.
The only thing I could think of was to change the customerror pages to plain .html and see if that helps.
Any ideas? You will probably be seeing more sites report this.
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 479
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Which versions are these sites running?
We made a change in the web.config for PCI compliance in 9.0.10. |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 305
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
Sites are Gold, but I tested it on an AC9 older than 9.10 Here is the first report I had seen of it, then it started happening on our sites: https://www.ablecommerce...ling-PCI-Compliance-TestWhat change in the web.config prevents this? I don't have a 9.10 site to test on. I see three changes and if I remember correctly, I think you had to remove the nosniff? I don't think any of these changes would have fixed the issue? <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN"/> <add name="Strict-Transport-Security" value="max-age=31536000;includeSubDomains;preload" /> <add name="X-Content-Type-Options" value="nosniff" /> </customHeaders>
|
|
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 305
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
On one site, I made a change to the global.asax to get around this particular error handling.
I changed
if (((HttpException)exception).Message.StartsWith("A potentially dangerous"))
return;
to
if (((HttpException)exception).Message.StartsWith("A potentially dangerous"))
Response.Redirect([enter site home page url]);
|
|
|
|
|
|
Rank: Newbie
Groups: Developers
Joined: 4/24/2019(UTC)
Posts: 7
|
I'm now seeing this same problem- we recently upgraded to 9.0.10.
Posting a request to the site with [site url]//z--><qss> results in a "Server Error in '/' Application" page. I tried modifying the Global.asax as mentioned up thread, but saw no change.
Any update on this issue?
The PCI scanner is pciapply.com.
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 479
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Hi,
I've requested a hot patch for this issue. Hopefully, I can get it by the end of this week.
|
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 479
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Hi, I have a hot patch for this issue. Please make a backup before deployment. Changes are in two files - \Website\Global.asax.cs and \Website\Controllers\ErrorsController.cs If you use Visual Studio, and can recompile the code, then use these two modified files in the attachment. Otherwise, if there are no custom changes to your site, you can place the new "AbleCommerce.dll" into the \bin\ folder. For reference: AC9-2272 Custom 404 page does not render correctly due to new (no-sniff) code added in web.config AC9-2314 Runtime error when invalid characters are part of the URL needs to display custom 500 error page Please report back if you have time and let us know if this fixes the issue.  AbleCommerce-9.0.10-patch-errors.zip (880kb) downloaded 2 time(s). |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Newbie
Groups: Developers
Joined: 4/24/2019(UTC)
Posts: 7
|
Thanks, I'm now getting the expected 500 error page.
We have a lot of customizations in the Admin section, so I had to use the cs files and recompile, but this fix seems to have worked.
I'm going to try a re-scan, which will take a couple of days to complete. I'll report back what the result is.
Thanks again
|
|
|
|
|
|
Rank: Newbie
Groups: Developers
Joined: 4/24/2019(UTC)
Posts: 7
|
As of today, site is now passing PCI compliance.
Thanks again for the assist.
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 479
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Great! Thanks for letting us know. |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.
Important Information:
The AbleCommerce Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies.
More Details
Close
