logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
dtooker20102643  
#1 Posted : Monday, July 8, 2024 12:06:14 PM(UTC)
dtooker20102643

Rank: Newbie

Groups: Developers
Joined: 4/24/2019(UTC)
Posts: 4

Certain malformed URLs cause the cart to produce a white-screen error.

Testing site PCIAPPLY.COM sends:


or



which results in an error outside of the cart try/catch block, seemingly coming from the url parser. This seems to be a new test they are doing. I've tried to remediate using url re-write, but so far no success. I think URL re-write is too clunky a tool for this scenario, especially since the attacking mal-formed url can have so many variations.

Any help with a remediation would be appreciated.

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Katie S  
#2 Posted : Tuesday, July 9, 2024 1:54:52 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi,

I'm not sure if this will help, but do you have custom errors turned on? The setting is in the web.config page.

<system.web>
<customErrors mode="On" defaultRedirect="~/Errors/GeneralError.aspx" redirectMode="ResponseRewrite">
<error statusCode="404" redirect="~/Errors/PageNotFound.aspx"/>
</customErrors>

If you would like a quote to upgrade your store, please email me directly at katie@ablecommerce.com.

Thanks,
Katie
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
dtooker20102643  
#3 Posted : Tuesday, July 9, 2024 3:07:05 PM(UTC)
dtooker20102643

Rank: Newbie

Groups: Developers
Joined: 4/24/2019(UTC)
Posts: 4

Custom error are on. The exception seems to be being thrown before the request gets into the application proper, otherwise, I'd think it would go through normal exception handling.

We are in the process of upgrading to 9, but I'm not ready to roll is out yet, and I have 2 sites with the same problem, and I presume our 3rd cart will start having this issue as soon as the next PCI scan is required.

Using IIS url re-write, I've gotten it to mostly divert to the "Not Found" page, but that isn't placating the PCI scanner (pciapply.com).

I think I'm still at least a couple of weeks out from being able to cut over to AC9. Is there no fix for this at all for Gold?
Katie S  
#4 Posted : Tuesday, July 9, 2024 3:36:48 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Quote:
Is there no fix for this at all for Gold?


This is the first I've heard of a PCI fail, so as you said, maybe this scan is something new.

Unfortunately, we stopped development on that version several years ago. I believe in 2017.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
judy at Web2Market  
#5 Posted : Wednesday, July 10, 2024 7:36:58 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
I could try to test on another Gold site, but when I tried substituting the site url in the following, I get site not found.
When I tried z--%3E%3Cqss%3E, I got an error screen based on the GeneralError page. That is what you should see- it means the request didn't succeed and an error has been thrown.
If you turn CustomErrors off, you might get a detailed message, but then you are creating a security issue.
I don't think the scanner understands errors in .net sites. Seeing the error page means that the hack didn't succeed.

dtooker20102643  
#6 Posted : Wednesday, July 10, 2024 11:21:23 AM(UTC)
dtooker20102643

Rank: Newbie

Groups: Developers
Joined: 4/24/2019(UTC)
Posts: 4

Quote:
When I tried z--%3E%3Cqss%3E, I got an error screen based on the GeneralError page.

That's it exactly.

The problem is that the PCI scanner doc says that a verbose error message is now a PCI compliance fail, so while the hack didn't succeed, the site still fails PCI because of the way the error message is presented to the browser.

I've been trying to "pre-parse" the request url thru url re-write, but I think that's too blunt an instrument.

If I knew where the url parsing was being done in the cart, and I could either wrap it or reflect it, I think I could come up with a way around this- but that's a pretty big compound if.
judy at Web2Market  
#7 Posted : Thursday, July 11, 2024 7:02:49 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
Three suggestions, which may or may not work:
Error message I am seeing is
An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated.
1. See if you can change the default error message in IIS for that type of error- don't know if that is possible.
2. It looks like the GeneralError page is throwing an error, probably because the script is still in the url. Maybe you can strip that before the page loads?
3. Make a plain html error page and change the web.config file to use it?
I don't have time to test any of these.
dtooker20102643  
#8 Posted : Thursday, July 11, 2024 10:42:35 AM(UTC)
dtooker20102643

Rank: Newbie

Groups: Developers
Joined: 4/24/2019(UTC)
Posts: 4

Thank you for the suggestions, but I think my only move at this point is to get the upgrade done as quickly as possible, and find out if it still fails PCI compliance.
judy at Web2Market  
#9 Posted : Monday, July 15, 2024 7:22:32 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
I tried /z--%3E%3Cqss%3E on an AC 909 site and got the same error page. I don't think this is an issue with AC, but you wouldn't be able to convince your scanning company of that.
judy at Web2Market  
#10 Posted : Monday, July 15, 2024 12:02:17 PM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
I did some more research and ran across https://serverfault.com/...et-error-page-for-url-we

I didn't absorb some of what he was saying, but did find IIS error pages
C:\inetpub\custerr\en-US
judy at Web2Market  
#11 Posted : Tuesday, August 20, 2024 8:14:38 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
I've done more research/experimenting since we have sites experiencing this. I downloaded NOOP commerce and found that their error page is a plain html page so I don't think you would have the issue with it in that case.
Users browsing this topic
Guest
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.