I've noticed something pretty alarming with a couple of production instances of Umbraco 4.5.2.
When a page has the umbracoRedirect property set (which invokes the SearchForAlias : INotFoundHandler), the HTTP 302 redirect response includes the ASP.NET trace output. (Note: You need to use an http proxy such as Fiddler to view the intermediate 302 response, before the browser redirects to the target url).
I have ensured the following configuration items are set:
Trace output appearing in production responses
I've noticed something pretty alarming with a couple of production instances of Umbraco 4.5.2.
When a page has the umbracoRedirect property set (which invokes the SearchForAlias : INotFoundHandler), the HTTP 302 redirect response includes the ASP.NET trace output.
(Note: You need to use an http proxy such as Fiddler to view the intermediate 302 response, before the browser redirects to the target url).
I have ensured the following configuration items are set:
web.config
appSettings/umbracoDebugMode: false
system.web/trace/enabled: false
system.web/compilation/debug: false
This is pretty bad, as a significant amount of environment information is available to any and all...
Can anyone else reproduce this?
Has anyone got any suggestions on how to resolve this?
Is this something that should be raised as a security-related bug?
Thanks,
Greg
Hi Greg,
check this article it might be related to your query
http://our.umbraco.org/forum/ourumb-dev-forum/bugs/14649-Tracing-Security-Risk
Cheers, Giorgos
is working on a reply...