Rank: Newbie
Groups: Developers
Joined: 4/24/2019(UTC) Posts: 4
|
Certain malformed URLs cause the cart to produce a white-screen error. Testing site PCIAPPLY.COM sends: or which results in an error outside of the cart try/catch block, seemingly coming from the url parser. This seems to be a new test they are doing. I've tried to remediate using url re-write, but so far no success. I think URL re-write is too clunky a tool for this scenario, especially since the attacking mal-formed url can have so many variations. Any help with a remediation would be appreciated.
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk Joined: 10/29/2018(UTC) Posts: 472
Thanks: 4 times Was thanked: 34 time(s) in 33 post(s)
|
Hi, I'm not sure if this will help, but do you have custom errors turned on? The setting is in the web.config page. <system.web> <customErrors mode="On" defaultRedirect="~/Errors/GeneralError.aspx" redirectMode="ResponseRewrite"> <error statusCode="404" redirect="~/Errors/PageNotFound.aspx"/> </customErrors> If you would like a quote to upgrade your store, please email me directly at katie@ablecommerce.com. Thanks, Katie |
Thanks for your support!
Katie Secure eCommerce Software and Hosting |
|
|
|
Rank: Newbie
Groups: Developers
Joined: 4/24/2019(UTC) Posts: 4
|
Custom error are on. The exception seems to be being thrown before the request gets into the application proper, otherwise, I'd think it would go through normal exception handling.
We are in the process of upgrading to 9, but I'm not ready to roll is out yet, and I have 2 sites with the same problem, and I presume our 3rd cart will start having this issue as soon as the next PCI scan is required.
Using IIS url re-write, I've gotten it to mostly divert to the "Not Found" page, but that isn't placating the PCI scanner (pciapply.com).
I think I'm still at least a couple of weeks out from being able to cut over to AC9. Is there no fix for this at all for Gold?
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk Joined: 10/29/2018(UTC) Posts: 472
Thanks: 4 times Was thanked: 34 time(s) in 33 post(s)
|
Quote:Is there no fix for this at all for Gold? This is the first I've heard of a PCI fail, so as you said, maybe this scan is something new. Unfortunately, we stopped development on that version several years ago. I believe in 2017. |
Thanks for your support!
Katie Secure eCommerce Software and Hosting |
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC) Posts: 303
Thanks: 21 times Was thanked: 5 time(s) in 5 post(s)
|
I could try to test on another Gold site, but when I tried substituting the site url in the following, I get site not found. When I tried z--%3E%3Cqss%3E, I got an error screen based on the GeneralError page. That is what you should see- it means the request didn't succeed and an error has been thrown. If you turn CustomErrors off, you might get a detailed message, but then you are creating a security issue. I don't think the scanner understands errors in .net sites. Seeing the error page means that the hack didn't succeed.
|
|
|
|
Rank: Newbie
Groups: Developers
Joined: 4/24/2019(UTC) Posts: 4
|
Quote:When I tried z--%3E%3Cqss%3E, I got an error screen based on the GeneralError page. That's it exactly. The problem is that the PCI scanner doc says that a verbose error message is now a PCI compliance fail, so while the hack didn't succeed, the site still fails PCI because of the way the error message is presented to the browser. I've been trying to "pre-parse" the request url thru url re-write, but I think that's too blunt an instrument. If I knew where the url parsing was being done in the cart, and I could either wrap it or reflect it, I think I could come up with a way around this- but that's a pretty big compound if.
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC) Posts: 303
Thanks: 21 times Was thanked: 5 time(s) in 5 post(s)
|
Three suggestions, which may or may not work: Error message I am seeing is An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated. 1. See if you can change the default error message in IIS for that type of error- don't know if that is possible. 2. It looks like the GeneralError page is throwing an error, probably because the script is still in the url. Maybe you can strip that before the page loads? 3. Make a plain html error page and change the web.config file to use it? I don't have time to test any of these.
|
|
|
|
Rank: Newbie
Groups: Developers
Joined: 4/24/2019(UTC) Posts: 4
|
Thank you for the suggestions, but I think my only move at this point is to get the upgrade done as quickly as possible, and find out if it still fails PCI compliance.
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC) Posts: 303
Thanks: 21 times Was thanked: 5 time(s) in 5 post(s)
|
I tried /z--%3E%3Cqss%3E on an AC 909 site and got the same error page. I don't think this is an issue with AC, but you wouldn't be able to convince your scanning company of that.
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC) Posts: 303
Thanks: 21 times Was thanked: 5 time(s) in 5 post(s)
|
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC) Posts: 303
Thanks: 21 times Was thanked: 5 time(s) in 5 post(s)
|
I've done more research/experimenting since we have sites experiencing this. I downloaded NOOP commerce and found that their error page is a plain html page so I don't think you would have the issue with it in that case.
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.
Important Information:
The AbleCommerce Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies.
More Details
Close