ASP.NET Security Issue & Workaround
A security issue has been identified in ASP.NET that would allow malicious users to download your web.config file. Please follow the steps below to protect your forum before MS releases a patch to correct it in the .NET core:
- Check the customErrors section in web.config and make some changes if necessary;
- Generate Machine Key that uses 3DES instead of AES for encryption, and
- Encrypt your connection string.
Check the customErrors section
In the forum's root folder, you should have a web.config file that contains the configuration we have for the forum software. In the file, under system.web
, you should find a section named customErrors (unless you delete it, we have it in the package).
Please make sure it reads as the following:
<customErrors redirectMode="ResponseRewrite" defaultRedirect="~/PGDErrorHandler.aspx" mode="On">
<!--<error statusCode="404" redirect="~/PGDRewrite.aspx"/>-->
A few points to note:
mode attribute must be set to "On"
We have it as Off
to help you see errors (if any) easily when you first install the software. We do have a security section in the installation document to ask you to set it to On
. If you haven't done so, please make it happen right away.
additional attribute: redirectMode
This is a new attribute for ASP.NET 3.5 sp1 and later. This will make the error less obvious to hacker.
404 section commented out
With the change above, it means we don't handle 404 error (file not found) differently from 500 error (server application error). This is a temporary workaround and you can un-comment the 404 section later once MS fixes this security problem.
Generate Machine Key with 3DES for encryption
Another security problem found along this one had to do with MS's implementation of the AES
encryption, which is used to encrypt FormsAutentication cookie (this affects us) and ViewState (this doesn't affect us as we don't use encrypted ViewState). The problem lies in the core of .NET and for now, we need to change the machineKey section in the web.config to use 3DES (triple DES)
By default we don't have a machineKey defined (also under system.web
; you need to do so yourself as it has to be unique to your environment). We have a machineKey generator that can generate unique machine key for your particular installation in the AdminCP -> Basic Maintenance
. However, we used to generate machine key based on AES (currently vulnerable). Because of this issue, we have released an update
(license holder only link) which changes the behavior of the generator to use 3DES instead.
Check your machine key and if your current one uses AES, download the patch and generate a new machine key for yourself. If you don't have a machineKey section defined, please generate one as it has numerous benefits to your forum.
With the new machineKey in place, the only thing to note is that your users will have to log in again (so do you).
Encrypt connectionString in web.config
This is not a workaround, but rather, a best practice regardless of ASP.NET's security status. See this post
for instruction on encrypting the connection string.
post edited by Samuel -