Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Brendan Rice 538 posts 1100 karma points
    Nov 16, 2010 @ 18:25
    Brendan Rice
    0

    Tracing Security Risk

    bugs

    We recently launched a site and as part of a PCI Compliance security audit noticed that when we do a redirect from an XSLT extension trace information is included in the response event though all debugging and trace config settings are turned off.  This made us fail the PCI compliance.

    I got the source code set up and noticed that an exception is thrown in the Macro (see below), but I am unsure why the trace information is getting output.

    Can anyone shed any light of this please?

    Trace Information
    CategoryMessageFrom First(s)From Last(s)
    aspx.page Begin PreInit    
    umbracoInit handling request 2.06345864661654E-05 0.000021
    request handler current url '' 4.69233082706767E-05 0.000026
    umbracoRequestHandler xpath: '/root/node' 7.82827067669173E-05 0.000031
    umbracoRequestHandler xpath: '/root/node [@urlName = ""] | /root/node' 9.35308270676692E-05 0.000015
    umbracoRequestHandler xpath: '/root/node [@urlName = ""] | /root/node' 0.000110240601503759 0.000017
    umbracoRequestHandler Just before xPath query (False, '/root/node [@urlName = ""] | /root/node') 0.000124472180451128 0.000014
    umbracoRequestHandler pageXPathQueryStart: '/root' 0.000136872180451128 0.000012
    umbracoRequestHandler After xPath query 0.000175633082706767 0.000039
    umbracoRequestHandler Access checking started 0.000216911278195489 0.000041
    umbracoRequestHandler Page not protected 0.000237524812030075 0.000021
    umbracoRequestHandler Access checking ended 0.000250084210526316 0.000013
    umbracoInit Done handling request 0.000264661654135338 0.000015
    umbracoPage Element loaded: storefrontPath 0.000322439097744361 0.000058
    umbracoPage Element loaded: galleryFolder 0.000344403007518797 0.000022
    umbracoPage Element loaded: breadcrumbTitle 0.000359906766917293 0.000016
    umbracoPage Element loaded: serviceUrl 0.000375560902255639 0.000016
    umbracoPage Element loaded: analyticsCode 0.000392562406015038 0.000017
    umbracoPage Element loaded: facebookURL 0.000408051127819549 0.000015
    umbracoPage Element loaded: twitterURL 0.00042286015037594 0.000015
    umbracoPage Element loaded: flickrURL 0.000438144360902256 0.000015
    umbracoPage Element loaded: youtubeURL 0.000453022556390977 0.000015
    umbracoPage Element loaded: ShowDistributorsLink 0.000468156390977444 0.000015
    umbracoPage Element loaded: metaTitle 0.000483603007518797 0.000015
    umbracoPage Element loaded: keywords 0.000499028571428571 0.000015
    umbracoPage Element loaded: metaDescription 0.000514264661654135 0.000015
    umbracoPage Element loaded: umbracoNaviHide 0.000534878195488722 0.000021
    umbracoPage Pagedata loaded for My Site (ID: 1051, Version: 221ed11e-e58e-4736-8d78-9a648b14d4c3) 0.0005512 0.000016
    aspx.page End PreInit 0.000765461654135338 0.000214
    aspx.page Begin Init 0.000783025563909774 0.000018
    umbracoMacro Macro loaded from cache (ID: 23, Get Geolocation) 0.000812535338345865 0.000030
    renderMacro Rendering started (macro: Get Geolocation, type: 1, cacheRate: 0) 0.000831876691729323 0.000019
    umbracoMacro Before adding extensions 0.000885666165413534 0.000054
    umbracoXsltExtension Extension added: urn:Exslt.ExsltCommon, ExsltCommon 0.00124664661654135 0.000361
    umbracoXsltExtension Extension added: urn:Exslt.ExsltDatesAndTimes, ExsltDatesAndTimes 0.00126612330827068 0.000019
    umbracoXsltExtension Extension added: urn:Exslt.ExsltMath, ExsltMath 0.00128086616541353 0.000015
    umbracoXsltExtension Extension added: urn:Exslt.ExsltRegularExpressions, ExsltRegularExpressions 0.00129484511278195 0.000014
    umbracoXsltExtension Extension added: urn:Exslt.ExsltStrings, ExsltStrings 0.00131192481203008 0.000017
    umbracoXsltExtension Extension added: urn:Exslt.ExsltSets, ExsltSets 0.00132650827067669 0.000015
    umbracoXsltExtension Extension added: urn:MyLibrary, library 0.00134021353383459 0.000014
    umbracoMacro After adding extensions 0.00135385864661654 0.000014
    umbracoMacro Before performing transformation 0.00137296240601504 0.000019
    umbracoMacro

    Error loading XSLT GetGeolocation.xslt

    Thread was being aborted.
      at umbraco.macro.loadMacroXSLT(macro macro, Hashtable attributes, Hashtable pageElements)    		 0.00246293533834586 0.001090
    Template

    Error adding macro Get Geolocation

    Thread was being aborted.
      at umbraco.macro.loadMacroXSLT(macro macro, Hashtable attributes, Hashtable pageElements)
      at umbraco.macro.renderMacro(Hashtable attributes, Hashtable pageElements, Int32 pageId)
      at umbraco.presentation.templateControls.Macro.CreateChildControls()    		 0.00380095639097744 0.001338
    Copy Link
  • Paul Sterling 718 posts 1534 karma points MVP 8x admin c-trib
    Nov 16, 2010 @ 19:45
    Paul Sterling
    1

    Hi Brendan -

    What exactly is the security risk?  While this behavior may not be as expected, the trace itself does not appear to contain any information that could be used to exploit a vulnerability or to be a vulnerability in itself.

    Please let us know the details of the auditors findings.

    -Paul

    Copy Link
  • Brendan Rice 538 posts 1100 karma points
    Nov 17, 2010 @ 00:56
    Brendan Rice
    0

    Hi Paul,

    thanks for the reply.  That is only a small portion of the trace, I left out details that included internal IP address (this failed PCI Compliance), computer name, local path to application and a lot more.

    I have been frying my head the past day or two trying to work out what is going  on all tracing & debugging is switched off in the config, can you shed any light on this please?

    Thanks,

    B

    Copy Link
  • Giorgos Grispos 145 posts 179 karma points
    Nov 17, 2010 @ 07:50
    Giorgos Grispos
    0

    Hi Brendan,

    Have you tried this?

    <add key="umbracoDebugMode" value="true|false" />

    That affects both umbdebugshowtrace and umbdebug as this post and Dirk de Grave mentions

    http://our.umbraco.org/forum/core/general/8333-Debug-on-or-off

    Thanks, Giorgos

    Copy Link
  • Brendan Rice 538 posts 1100 karma points
    Nov 17, 2010 @ 12:14
    Brendan Rice
    0

    Hi Giogos, yea tried that setting but it didn't matter, I have the source code hee and am trying to debug through it, any tips/help would be really appreciated.

    Thanks, B

    Copy Link
  • Brendan Rice 538 posts 1100 karma points
    Nov 17, 2010 @ 12:45
    Brendan Rice
    3

    OK I have found out what the problem was after a lot of head scratching.  In the root of the website is the default.aspx page and at the top of that page is the following line:

    <%@ Page language="c#" Codebehind="default.aspx.cs" AutoEventWireup="True" Inherits="umbraco.UmbracoDefault" trace="true" validateRequest="false" %>

    The [trace="true"] is overriding any properties set in the config file, this should really be removed from the source.

    Copy Link
  • Ben Wicks 4 posts 25 karma points
    Nov 29, 2011 @ 04:48
    Ben Wicks
    0

    Thanks for posting your solution, it was still an issue in 4.7.0

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft