Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 305
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
We have had two sites report this now.
Add //z--><qss> to the url on a site and it throws a runtime error
Server Error in '/' Application.
Runtime Error
Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated.
(This is with CustomErrors On)
With CustomErrors off, it is
Server Error in '/' Application.
A potentially dangerous Request.Path value was detected from the client (>).
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (>).
Source Error:
This is causing PCI compliance to fail. I know it is a default IIS message, but scans are saying it discloses too much info. I had researched it the first time it came up and couldn't find where I could change the error message in IIS.
The only thing I could think of was to change the customerror pages to plain .html and see if that helps.
Any ideas? You will probably be seeing more sites report this.
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 475
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Which versions are these sites running?
We made a change in the web.config for PCI compliance in 9.0.10. |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 305
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
Sites are Gold, but I tested it on an AC9 older than 9.10 Here is the first report I had seen of it, then it started happening on our sites: https://www.ablecommerce...ling-PCI-Compliance-TestWhat change in the web.config prevents this? I don't have a 9.10 site to test on. I see three changes and if I remember correctly, I think you had to remove the nosniff? I don't think any of these changes would have fixed the issue? <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN"/> <add name="Strict-Transport-Security" value="max-age=31536000;includeSubDomains;preload" /> <add name="X-Content-Type-Options" value="nosniff" /> </customHeaders>
|
|
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 305
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
On one site, I made a change to the global.asax to get around this particular error handling.
I changed
if (((HttpException)exception).Message.StartsWith("A potentially dangerous"))
return;
to
if (((HttpException)exception).Message.StartsWith("A potentially dangerous"))
Response.Redirect([enter site home page url]);
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.
Important Information:
The AbleCommerce Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies.
More Details
Close
