logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
judy at Web2Market  
#1 Posted : Monday, August 19, 2024 11:05:48 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 305

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
We have had two sites report this now.
Add //z--><qss> to the url on a site and it throws a runtime error
Server Error in '/' Application.
Runtime Error
Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated.
(This is with CustomErrors On)

With CustomErrors off, it is
Server Error in '/' Application.
A potentially dangerous Request.Path value was detected from the client (>).
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (>).

Source Error:

This is causing PCI compliance to fail. I know it is a default IIS message, but scans are saying it discloses too much info. I had researched it the first time it came up and couldn't find where I could change the error message in IIS.
The only thing I could think of was to change the customerror pages to plain .html and see if that helps.
Any ideas? You will probably be seeing more sites report this.

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Katie S  
#2 Posted : Monday, August 19, 2024 12:25:46 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 479

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Which versions are these sites running?

We made a change in the web.config for PCI compliance in 9.0.10.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
judy at Web2Market  
#3 Posted : Tuesday, August 20, 2024 7:17:36 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 305

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
Sites are Gold, but I tested it on an AC9 older than 9.10
Here is the first report I had seen of it, then it started happening on our sites:
https://www.ablecommerce...ling-PCI-Compliance-Test
What change in the web.config prevents this? I don't have a 9.10 site to test on.
I see three changes and if I remember correctly, I think you had to remove the nosniff? I don't think any of these changes would have fixed the issue?
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN"/>
<add name="Strict-Transport-Security" value="max-age=31536000;includeSubDomains;preload" />
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
judy at Web2Market  
#4 Posted : Tuesday, August 20, 2024 8:38:27 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 305

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
On one site, I made a change to the global.asax to get around this particular error handling.
I changed
if (((HttpException)exception).Message.StartsWith("A potentially dangerous"))
return;

to
if (((HttpException)exception).Message.StartsWith("A potentially dangerous"))
Response.Redirect([enter site home page url]);
dtooker20102643  
#5 Posted : Wednesday, March 5, 2025 11:16:05 AM(UTC)
dtooker20102643

Rank: Newbie

Groups: Developers
Joined: 4/24/2019(UTC)
Posts: 7

I'm now seeing this same problem- we recently upgraded to 9.0.10.

Posting a request to the site with [site url]//z--><qss> results in a "Server Error in '/' Application" page. I tried modifying the Global.asax as mentioned up thread, but saw no change.

Any update on this issue?

The PCI scanner is pciapply.com.

Katie S  
#6 Posted : Wednesday, March 5, 2025 1:35:37 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 479

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi,

I've requested a hot patch for this issue. Hopefully, I can get it by the end of this week.

Thanks for your support!

Katie
Secure eCommerce Software and Hosting
Katie S  
#7 Posted : Friday, March 7, 2025 3:49:58 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 479

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi,

I have a hot patch for this issue. Please make a backup before deployment.

Changes are in two files -


\Website\Global.asax.cs

and

\Website\Controllers\ErrorsController.cs

If you use Visual Studio, and can recompile the code, then use these two modified files in the attachment.

Otherwise, if there are no custom changes to your site, you can place the new "AbleCommerce.dll" into the \bin\ folder.

For reference:

AC9-2272 Custom 404 page does not render correctly due to new (no-sniff) code added in web.config
AC9-2314 Runtime error when invalid characters are part of the URL needs to display custom 500 error page

Please report back if you have time and let us know if this fixes the issue.

AbleCommerce-9.0.10-patch-errors.zip (880kb) downloaded 2 time(s).



Thanks for your support!

Katie
Secure eCommerce Software and Hosting
dtooker20102643  
#8 Posted : Friday, March 7, 2025 4:18:12 PM(UTC)
dtooker20102643

Rank: Newbie

Groups: Developers
Joined: 4/24/2019(UTC)
Posts: 7

Thanks, I'm now getting the expected 500 error page.

We have a lot of customizations in the Admin section, so I had to use the cs files and recompile, but this fix seems to have worked.

I'm going to try a re-scan, which will take a couple of days to complete. I'll report back what the result is.

Thanks again
dtooker20102643  
#9 Posted : Tuesday, March 11, 2025 9:49:28 AM(UTC)
dtooker20102643

Rank: Newbie

Groups: Developers
Joined: 4/24/2019(UTC)
Posts: 7

As of today, site is now passing PCI compliance.

Thanks again for the assist.
Katie S  
#10 Posted : Tuesday, March 11, 2025 11:02:50 AM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 479

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Great! Thanks for letting us know.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
Users browsing this topic
Guest
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.