Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Greg White 7 posts 27 karma points
    Oct 29, 2010 @ 04:46
    Greg White
    0

    Trace output appearing in production responses

    I've noticed something pretty alarming with a couple of production instances of Umbraco 4.5.2.

    When a page has the umbracoRedirect property set (which invokes the SearchForAlias : INotFoundHandler), the HTTP 302 redirect response includes the ASP.NET trace output.
    (Note: You need to use an http proxy such as Fiddler to view the intermediate 302 response, before the browser redirects to the target url).

    I have ensured the following configuration items are set:

    web.config
    appSettings/umbracoDebugMode: false
    system.web/trace/enabled: false
    system.web/compilation/debug: false

    This is pretty bad, as a significant amount of environment information is available to any and all...

    Can anyone else reproduce this?

    Has anyone got any suggestions on how to resolve this?

    Is this something that should be raised as a security-related bug?

     

    Thanks,
    Greg

  • Giorgos Grispos 145 posts 179 karma points
    Nov 26, 2010 @ 13:25
    Giorgos Grispos
    0

    Hi Greg,

    check this article it might be related to your query

    http://our.umbraco.org/forum/ourumb-dev-forum/bugs/14649-Tracing-Security-Risk

    Cheers, Giorgos

Please Sign in or register to post replies

Write your reply to:

Draft