Atozed Forums
ShowSecurityErrorDetails = False but still error details are shown - Printable Version

+- Atozed Forums (https://www.atozed.com/forums)
+-- Forum: Atozed Software Products (https://www.atozed.com/forums/forum-1.html)
+--- Forum: IntraWeb (https://www.atozed.com/forums/forum-3.html)
+---- Forum: English (https://www.atozed.com/forums/forum-16.html)
+----- Forum: IntraWeb General Discussion (https://www.atozed.com/forums/forum-4.html)
+----- Thread: ShowSecurityErrorDetails = False but still error details are shown (/thread-2703.html)

Pages: 1 2


ShowSecurityErrorDetails = False but still error details are shown - jeroen.rottink - 04-06-2022

Hi,

As a result of an exception the user was shown the exception page including call stack details. This while TIWServerController.SecurityOptions.ShowSecurityErrorDetails = False. 
I would like to show the user the error message but without these details. On the server this error, including the details should stay.

A second issue with the attached testcase shows a small memory leak after the exception is generated.

Using IW 15.2.52


RE: ShowSecurityErrorDetails = False but still error details are shown - Alexandre Machado - 04-07-2022

The stack trace is not part of the details hidden when this option is False. Only sensitive information is hidden (the call stack doesn't expose things that can compromise your server)

I'll check the test case and let you know


RE: ShowSecurityErrorDetails = False but still error details are shown - jeroen.rottink - 04-07-2022

Hi Alexandre,

True but also application details like app path etc are shown.
I updated the example to also show the differences between how exceptions are handled in the application based on where the exception occurs.


RE: ShowSecurityErrorDetails = False but still error details are shown - jeroen.rottink - 04-07-2022

Hi Alexandre,

Update on the first issue about showing app path etc. My mistake. This information is only visible when testing from localhost.
I see the check on Host = <localhost> in TIWExceptionLogWorker.GetExceptionDetail().

Be notified that this 'Host' header field can be changed by an attacker. This way the information can still be visible outside 'localhost'...


RE: ShowSecurityErrorDetails = False but still error details are shown - joelcc - 04-07-2022

if you really want to hide everything from the user then change the following 2 templates.

iwServerError.html
IWError.html

and maybe IWException.html

You can still log the real error.


RE: ShowSecurityErrorDetails = False but still error details are shown - Alexandre Machado - 04-08-2022

(04-07-2022, 07:15 AM)jeroen.rottink Wrote: Hi Alexandre,

True but also application details like app path etc are shown.
I updated the example to also show the differences between how exceptions are handled in the application based on where the exception occurs.

Jeroen,

to have a proper idea of what really appears on that log you need to test from another machine in a network environment.

It will always show everything when running from localhost. That's by design.

If you are running from localhost, you have always access to everything. No need to hide anything in that case


RE: ShowSecurityErrorDetails = False but still error details are shown - jeroen.rottink - 04-08-2022

(04-08-2022, 05:44 AM)Alexandre Machado Wrote: Jeroen,

to have a proper idea of what really appears on that log you need to test from another machine in a network environment.

It will always show everything when running from localhost. That's by design.

If you are running from localhost, you have always access to everything. No need to hide anything in that case

Hi Alexandre,

I did. See my third post yesterday. Also the remark about changing the host header field value.
My solution in those cases.

Code:
// RemoteAddr := WebApplication.Request.RemoteAddr;
// if not IsLocalHost(RemoteAddr) ...

function TIWServerController.IsLocalHost(const AIP: string): boolean;
begin
  // https://serverfault.com/questions/411658/can-localhost-be-spoofed
  // https://stackoverflow.com/questions/40189084/what-is-ipv6-for-localhost-and-0-0-0-0
  Result := SameText(AIP, '127.0.0.1') or SameText(AIP, '0:0:0:0:0:0:0:1');
end;

(04-07-2022, 04:35 PM)joelcc Wrote: if you really want to hide everything from the user then change the following 2 templates.

iwServerError.html
IWError.html

and maybe IWException.html

You can still log the real error.

Hi joelcc,

Thanks. I didn't think about that.

When would IWServerError.html be used. I can't find a reference to that.
On GitHub some demo's showing the usage https://github.com/Atozed/IntraWeb/tree/master/XIV/Delphi/CustomizingExceptions
https://www.atozed.com/2008/01/20080915a-en/


RE: ShowSecurityErrorDetails = False but still error details are shown - joelcc - 04-08-2022

Frankly, I do not remember. It may never be used. It may be just the other 2 that are used, but those are the 3 templates that we had our html guys update years ago.

Hopefully that helps you.


RE: ShowSecurityErrorDetails = False but still error details are shown - Alexandre Machado - 04-08-2022

Hi Jeroen,

I see what you mean. Hold on, I'll make some tests and probably some changes to allow more granularity when choosing what you want in the final HTML report.

Cheers


RE: ShowSecurityErrorDetails = False but still error details are shown - Alexandre Machado - 04-10-2022

Please download and install version 15.2.53: https://www.atozed.com/2022/04/intraweb-15-2-53/

It will allow you to configure exactly the information that you want to include in that report.

Also, the report will work/behave the same regardless of the environment (local/remote)