I'm trying to disable trace/debug information from being shown but this doesn't seem to be working despite making the following changes to the web.config file:-
Set umbracoDebugMode to false
In the system.web/trace section set enabled to false so that nobody has access to your traces
And also the following changes have been made to default.aspx:-
Having trace enabled allows an attacker to see a bunch of server
variables including ports, IP addresses, and even an absolute directory
structure of where your website sites on your server.
Both the website and IIS have been restarted after making these changes! Does anyone have any idea why it would still be possible to view trace information?
Thank you for your reply. We are currently running version 4.7.1.1
We have a third-party company (http://www.westpoint.ltd.uk/) that monitor and inform us about any security vulnerabilities and they are telling us they are still able to view trace information despite performing the above.
When they append trace.axd at the end of the URL for our corporate website, the following error is seen:-
Server Error in '/' Application.
Trace Error
Description: The current trace settings prevent trace.axd from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable trace.axd to be viewable on remote machines, please create a <trace> tag within the configuration file located in the root directory of the current web application. This <trace> tag should then have its "localOnly" attribute set to "false".
Unable to disable trace/debug
Hi,
I'm trying to disable trace/debug information from being shown but this doesn't seem to be working despite making the following changes to the web.config file:-
And also the following changes have been made to default.aspx:-
Change
<add key="umbracoDebugMode" value="true" />
To false, and also change
<compilation defaultLanguage="c#" debug="true" batch="false" targetFramework="4.0">
To false.
Reason:
Having trace enabled allows an attacker to see a bunch of server variables including ports, IP addresses, and even an absolute directory structure of where your website sites on your server.
Both the website and IIS have been restarted after making these changes! Does anyone have any idea why it would still be possible to view trace information?
Many thanks
Sources: http://our.umbraco.org/wiki/recommendations/recommended-reading-for-it-administrators/best-practices-for-live-deployment/setting-trace-in-defaultaspx-and-webconfig
http://our.umbraco.org/wiki/recommendations/recommended-reading-for-it-administrators/best-practices-for-live-deployment
Hi Andy
What version of Umbraco are you using? What you describe above sounds to be done right at a first glance.
So what are you doing when you have disabled the trace that does make it seem it's not working?
Looking forward to hearing from you.
/Jan
Hi Jan,
Thank you for your reply. We are currently running version 4.7.1.1
We have a third-party company (http://www.westpoint.ltd.uk/) that monitor and inform us about any security vulnerabilities and they are telling us they are still able to view trace information despite performing the above.
When they append trace.axd at the end of the URL for our corporate website, the following error is seen:-
Server Error in '/' Application.
Trace Error
Description: The current trace settings prevent trace.axd from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable trace.axd to be viewable on remote machines, please create a <trace> tag within the configuration file located in the root directory of the current web application. This <trace> tag should then have its "localOnly" attribute set to "false".
Thanks for any help you can offer
Andy
is working on a reply...