Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
ShowSecurityErrorDetails = False but still error details are shown
#1
Hi,

As a result of an exception the user was shown the exception page including call stack details. This while TIWServerController.SecurityOptions.ShowSecurityErrorDetails = False. 
I would like to show the user the error message but without these details. On the server this error, including the details should stay.

A second issue with the attached testcase shows a small memory leak after the exception is generated.

Using IW 15.2.52


Attached Files
.zip   issue2901.zip (Size: 26.74 KB / Downloads: 1)
Reply
#2
The stack trace is not part of the details hidden when this option is False. Only sensitive information is hidden (the call stack doesn't expose things that can compromise your server)

I'll check the test case and let you know
Reply
#3
Hi Alexandre,

True but also application details like app path etc are shown.
I updated the example to also show the differences between how exceptions are handled in the application based on where the exception occurs.


Attached Files
.zip   issue2901.zip (Size: 26.94 KB / Downloads: 0)
Reply
#4
Hi Alexandre,

Update on the first issue about showing app path etc. My mistake. This information is only visible when testing from localhost.
I see the check on Host = <localhost> in TIWExceptionLogWorker.GetExceptionDetail().

Be notified that this 'Host' header field can be changed by an attacker. This way the information can still be visible outside 'localhost'...
Reply
#5
if you really want to hide everything from the user then change the following 2 templates.

iwServerError.html
IWError.html

and maybe IWException.html

You can still log the real error.
Reply
#6
(04-07-2022, 07:15 AM)jeroen.rottink Wrote: Hi Alexandre,

True but also application details like app path etc are shown.
I updated the example to also show the differences between how exceptions are handled in the application based on where the exception occurs.

Jeroen,

to have a proper idea of what really appears on that log you need to test from another machine in a network environment.

It will always show everything when running from localhost. That's by design.

If you are running from localhost, you have always access to everything. No need to hide anything in that case
Reply
#7
(04-08-2022, 05:44 AM)Alexandre Machado Wrote: Jeroen,

to have a proper idea of what really appears on that log you need to test from another machine in a network environment.

It will always show everything when running from localhost. That's by design.

If you are running from localhost, you have always access to everything. No need to hide anything in that case

Hi Alexandre,

I did. See my third post yesterday. Also the remark about changing the host header field value.
My solution in those cases.

Code:
// RemoteAddr := WebApplication.Request.RemoteAddr;
// if not IsLocalHost(RemoteAddr) ...

function TIWServerController.IsLocalHost(const AIP: string): boolean;
begin
  // https://serverfault.com/questions/411658/can-localhost-be-spoofed
  // https://stackoverflow.com/questions/40189084/what-is-ipv6-for-localhost-and-0-0-0-0
  Result := SameText(AIP, '127.0.0.1') or SameText(AIP, '0:0:0:0:0:0:0:1');
end;

(04-07-2022, 04:35 PM)joelcc Wrote: if you really want to hide everything from the user then change the following 2 templates.

iwServerError.html
IWError.html

and maybe IWException.html

You can still log the real error.

Hi joelcc,

Thanks. I didn't think about that.

When would IWServerError.html be used. I can't find a reference to that.
On GitHub some demo's showing the usage https://github.com/Atozed/IntraWeb/tree/...Exceptions
https://www.atozed.com/2008/01/20080915a-en/
Reply
#8
Frankly, I do not remember. It may never be used. It may be just the other 2 that are used, but those are the 3 templates that we had our html guys update years ago.

Hopefully that helps you.
Reply
#9
Hi Jeroen,

I see what you mean. Hold on, I'll make some tests and probably some changes to allow more granularity when choosing what you want in the final HTML report.

Cheers
Reply
#10
Please download and install version 15.2.53: https://www.atozed.com/2022/04/intraweb-15-2-53/

It will allow you to configure exactly the information that you want to include in that report.

Also, the report will work/behave the same regardless of the environment (local/remote)
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)