We recently launched a site and as part of a PCI Compliance security audit noticed that when we do a redirect from an XSLT extension trace information is included in the response event though all debugging and trace config settings are turned off. This made us fail the PCI compliance.
I got the source code set up and noticed that an exception is thrown in the Macro (see below), but I am unsure why the trace information is getting output.
Can anyone shed any light of this please?
Trace Information
Category
Message
From First(s)
From Last(s)
aspx.page
Begin PreInit
umbracoInit
handling request
2.06345864661654E-05
0.000021
request handler
current url ''
4.69233082706767E-05
0.000026
umbracoRequestHandler
xpath: '/root/node'
7.82827067669173E-05
0.000031
umbracoRequestHandler
xpath: '/root/node [@urlName = ""] | /root/node'
9.35308270676692E-05
0.000015
umbracoRequestHandler
xpath: '/root/node [@urlName = ""] | /root/node'
0.000110240601503759
0.000017
umbracoRequestHandler
Just before xPath query (False, '/root/node [@urlName = ""] | /root/node')
0.000124472180451128
0.000014
umbracoRequestHandler
pageXPathQueryStart: '/root'
0.000136872180451128
0.000012
umbracoRequestHandler
After xPath query
0.000175633082706767
0.000039
umbracoRequestHandler
Access checking started
0.000216911278195489
0.000041
umbracoRequestHandler
Page not protected
0.000237524812030075
0.000021
umbracoRequestHandler
Access checking ended
0.000250084210526316
0.000013
umbracoInit
Done handling request
0.000264661654135338
0.000015
umbracoPage
Element loaded: storefrontPath
0.000322439097744361
0.000058
umbracoPage
Element loaded: galleryFolder
0.000344403007518797
0.000022
umbracoPage
Element loaded: breadcrumbTitle
0.000359906766917293
0.000016
umbracoPage
Element loaded: serviceUrl
0.000375560902255639
0.000016
umbracoPage
Element loaded: analyticsCode
0.000392562406015038
0.000017
umbracoPage
Element loaded: facebookURL
0.000408051127819549
0.000015
umbracoPage
Element loaded: twitterURL
0.00042286015037594
0.000015
umbracoPage
Element loaded: flickrURL
0.000438144360902256
0.000015
umbracoPage
Element loaded: youtubeURL
0.000453022556390977
0.000015
umbracoPage
Element loaded: ShowDistributorsLink
0.000468156390977444
0.000015
umbracoPage
Element loaded: metaTitle
0.000483603007518797
0.000015
umbracoPage
Element loaded: keywords
0.000499028571428571
0.000015
umbracoPage
Element loaded: metaDescription
0.000514264661654135
0.000015
umbracoPage
Element loaded: umbracoNaviHide
0.000534878195488722
0.000021
umbracoPage
Pagedata loaded for My Site (ID: 1051, Version: 221ed11e-e58e-4736-8d78-9a648b14d4c3)
0.0005512
0.000016
aspx.page
End PreInit
0.000765461654135338
0.000214
aspx.page
Begin Init
0.000783025563909774
0.000018
umbracoMacro
Macro loaded from cache (ID: 23, Get Geolocation)
0.000812535338345865
0.000030
renderMacro
Rendering started (macro: Get Geolocation, type: 1, cacheRate: 0)
Thread was being aborted. at umbraco.macro.loadMacroXSLT(macro macro, Hashtable attributes, Hashtable pageElements)
0.00246293533834586
0.001090
Template
Error adding macro Get Geolocation
Thread was being aborted. at umbraco.macro.loadMacroXSLT(macro macro, Hashtable attributes, Hashtable pageElements) at umbraco.macro.renderMacro(Hashtable attributes, Hashtable pageElements, Int32 pageId) at umbraco.presentation.templateControls.Macro.CreateChildControls()
What exactly is the security risk? While this behavior may not be as expected, the trace itself does not appear to contain any information that could be used to exploit a vulnerability or to be a vulnerability in itself.
Please let us know the details of the auditors findings.
thanks for the reply. That is only a small portion of the trace, I left out details that included internal IP address (this failed PCI Compliance), computer name, local path to application and a lot more.
I have been frying my head the past day or two trying to work out what is going on all tracing & debugging is switched off in the config, can you shed any light on this please?
Hi Giogos, yea tried that setting but it didn't matter, I have the source code hee and am trying to debug through it, any tips/help would be really appreciated.
OK I have found out what the problem was after a lot of head scratching. In the root of the website is the default.aspx page and at the top of that page is the following line:
Tracing Security Risk
We recently launched a site and as part of a PCI Compliance security audit noticed that when we do a redirect from an XSLT extension trace information is included in the response event though all debugging and trace config settings are turned off. This made us fail the PCI compliance.
I got the source code set up and noticed that an exception is thrown in the Macro (see below), but I am unsure why the trace information is getting output.
Can anyone shed any light of this please?
Trace Information
Error loading XSLT GetGeolocation.xslt
Thread was being aborted.at umbraco.macro.loadMacroXSLT(macro macro, Hashtable attributes, Hashtable pageElements)
Error adding macro Get Geolocation
Thread was being aborted.at umbraco.macro.loadMacroXSLT(macro macro, Hashtable attributes, Hashtable pageElements)
at umbraco.macro.renderMacro(Hashtable attributes, Hashtable pageElements, Int32 pageId)
at umbraco.presentation.templateControls.Macro.CreateChildControls()
Hi Brendan -
What exactly is the security risk? While this behavior may not be as expected, the trace itself does not appear to contain any information that could be used to exploit a vulnerability or to be a vulnerability in itself.
Please let us know the details of the auditors findings.
-Paul
Hi Paul,
thanks for the reply. That is only a small portion of the trace, I left out details that included internal IP address (this failed PCI Compliance), computer name, local path to application and a lot more.
I have been frying my head the past day or two trying to work out what is going on all tracing & debugging is switched off in the config, can you shed any light on this please?
Thanks,
B
Hi Brendan,
Have you tried this?
That affects both umbdebugshowtrace and umbdebug as this post and Dirk de Grave mentions
http://our.umbraco.org/forum/core/general/8333-Debug-on-or-off
Thanks, Giorgos
Hi Giogos, yea tried that setting but it didn't matter, I have the source code hee and am trying to debug through it, any tips/help would be really appreciated.
Thanks, B
OK I have found out what the problem was after a lot of head scratching. In the root of the website is the default.aspx page and at the top of that page is the following line:
The [trace="true"] is overriding any properties set in the config file, this should really be removed from the source.
Thanks for posting your solution, it was still an issue in 4.7.0
is working on a reply...