I want to prevent the user from accessing the Hidden Directories like Scripts, Contents, aspnet_client directly from the browser in a asp.net mvc 2 application. Currently whenever I try to access the above mentioned Hidden Directories it is returning the following error message:
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
I want to show "404 Not Found" error page whenever one tries to access the above mentioned hidden directories.
Can anyone help me with to resolve this issue?
When attacker try to access the file with some random name, if given file name not exists then it will give error like "404 File not exists". if file name exists but don't have access to file then it will return error like "403 Forbidden" error. so attacker get idea of the file and file directory.
So the application should be capable of handling this issue
Solution is to show the return response in different way, recommended to show as 404 error.
To do this in IIS we can add customerError configuration in the web.config file.
Please check the below article for the details of issue and solution.
https://www.c-sharpcorner.com/UploadFile/092589/custom-error-page-in-Asp-Net/
You may want to add custom handler - something like this - http://forums.asp.net/post/4152906.aspx
Related
when I try to install moodle via softaculous, I get an error like this, I just created my domain name and the files seem empty. Can you help?
Eror:
Could not access your domain. Please make sure your domain is pointing to this server and there is no .htaccess file restricting access to your domain
I get the error while loading Moodle, the contents of my files are empty and .there is no htaccess file
I have searched for this question, but none of the responses help me.
Following the tutorial, I have created a new bucket (www.stepwiserefinement.co.uk) and it contains a static site, including index.html and error.html.
I have used the Console to set these as defaults for the base url and unknown files.
When I access the http://www.stepwiserefinement.co.uk URL, I get an XML listing of the files; I should be seeing index.html.
gustily correctly reports
{"mainPageSuffix": "/index.html", "notFoundPage": "/error.html"}
but if I access the domain with no path, the response is
<Error>
<Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>
Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket.
</Details>
</Error>
No https, no load balancer needed.
Missing something.
Suggestions please.
There's multiple issues here.
Your site still loads in HTTPS when you put it in the browser. The connection is somehow upgrading you to SSL. And if you're in SSL, you need the load balancer. As opposed to these instructions without load balancer. Maybe you have SSL turned on with your registrar or somewhere else.
I only get 404 error. Not sure how you got "Access denied". But it could also be a secondary issue because when enabled properly, no access control is present. For example, it says here under step 3 "selected Uniform for Access Control". This removes access control.
Let us know if you followed the last article completely
Edit: Also, out of curiosity, try making the bucket public (without Uniform), if it doesn't work above.
Try to troubleshooting QuickBook's Web Connector by following helping URL: Click Me. When I try to Add an application into Web connector getting following error: "QBWC1048: QuickBooks Web Connector could not verify the web application server certificate. QBWC1051: The new application was not added"
QuickBook throws the 1048 error because it is unable to complete a GET request at the AppURL that specified QBFS.qwc file. This is because test.developer.intuit.com restricts GET requests via the SOAP API.
To get around this, include a parameter in the .qwc file, and set it to the same value as your AppURL without the URL path.
For example, if your AppURL is https://mycompany.cs1.force.com/services/Soap/class/myApiClass, then set CertURL to https://mycompany.cs1.force.com.
This is the solution suggested by the QBWC log file, and it worked for me.
Reference URL
I found I had this problem because my software was trying to load the file
http://developer.intuit.com/uploadedFiles/Support/QBWebConnectorSvc.wsdl
which no longer exists. :(
So I got a WSDL from
https://test.developer.intuit.com/QBWC/TroubleshootWebServiceFS/Service.asmx?wsdl
and put it in my Site's root directory, then changed my code to point there, and it worked.
When I try opening the dashDB console from Bluemix, I occasionally get the following error message:
An internal error has occurred. The application may still be
initializing or the URL used is invalid. Check the URL and try again.
For more information, view the server log files.
How can I fix this?
The problem seems to be a cookie caching issue.
Get the domain name from the browser window that is displaying the error message. E.g. awh-yp-small02.services.dal.bluemix.net
Open cookie page, for example in firefox:
Search for cookies with the YOUR domain name from step 1.
Select all those cookies and delete them by clicking the 'Remove Selected' button.
You should be able to launch now.
WARNING: the above worked for me, but use the above advice at your own risk.
I have a link on my website to the standard publish page generated by Visual Studio. My concern is that if anybody finds out the URL to that page, they can download my software. Sure, I could password protect the page with the link, but it still would not be protecting the download URL. Are there any ways to secure the click once upload? I have looked around, and it seems like I am stuck in this sense.
Public URL is a security issue in ClickOnce Deployment. However, there is a solution for your problem if your web server has windows and .NET installed. Tell me if you have one ? I will have to come up with another workaround for Linux web server in case you have that.
Brief
Firstly, a bit of information about ClickOnce deployment. When you deploy the application, the GET requests on the server made are (assuming WebDir is the publish directory on the server)
G-1. GET /WebDir/setup.exe (Initial download)
G-2. GET /WebDir/MyApp.Application (setup.exe -url request)
G-3. GET /WebDir/MyApp.Application (.application deployment provider URL request)
G-4. GET /WebDir/Application Files/MyApp_1_0_0_0/MyApp.exe.manifest (Application manifest request)
G-5. GET /WebDir/Application Files/MyApp_1_0_0_0/MyApp.exe.deployand other .deploy files ... (Application file requests)
Implementation
Now, the solution is to intercept these file requests on the server. On IIS, you can attach a custom HTTPHandler and handle the request. On Apache, you can redirect requests to a PHP code using .htaccess files. Apart from this, you will have to generate unique identifier uid for client instances downloaded from the server (can be your license key) and put that in the deployment provider URL query parameters.
Directory Structure
Create an "Application" folder inside your WebDir and restrict access to /WebDir/Application/. Rest everything can be there inside /WebDir/
File Requests
So here's what you do on a Apache web server hosted on a windows machine:
Create a custom download page or use the one created from publishing the application using Visual Studio (but you will have to edit it manually!). Let's assume that page is /WebDir/Download.php
After authenticating user from Download.php, you have to send setup.exe from your code (can do it with readfile() in PHP) to the user. However, the catch is bootstrapper (setup.exe) after installing will do a GET request [G-2]. Don't forget now, that you have to validate this file request. So basically you change the "setup.exe -url" property to include uid before returning the file. For eg: change it to /WebDir/uid/MyApp.Application [G-2]. You can use MsiStuff.exe to change the URL property for the bootstrapper.
Using a .htaccess file, rewrite [G-2] to /WebDir/Handler.php?user=uid. From Handler.php, you can check if it is a valid uid. If it is valid, you will have to include the uid in the deployment provider URL and "Dependent Assemblies Path" in deployment manifest so that if an upgrade request comes (It essentially requests the deployment manifest), you can validate the user there too. Add uid to query string parameters. For eg: change it to /WebDir/MyApp.application?user=uid [G-3]. Don't forget that you will have to resign the manifests once you modify them. Use Mage or write your own code to do that.
So finally, the GET requests on the server will be (assuming uid=1f3rd)
G-1. GET /WebDir/Download.phpAction: return setup.exe with the -url changed
G-2. GET /WebDir/Application/setup.exe/1f3rd/MyApp.ApplicationAction: redirect, validate user, change URL, re-sign and return file
G-3. GET /WebDir/Application/setup.exe/MyApp.Application?user=1f3rdAction: redirect, validate user and return file
G-4. GET /WebDir/Application/1f3rd/Application Files/MyApp_1_0_0_0/MyApp.exe.manifestAction: redirect, validate user and return file
G-5. GET /WebDir/Application/1f3rd/Application Files/MyApp_1_0_0_0/MyApp.exe.deployand other .deploy files ...Action: redirect, validate user and return file
Pros
Application is successfully deployed and upgraded only if all the requests have a valid uid in the URL present.
You can now identify different instances of application on client systems. You can track the update history, do a selective version upgrade/downgrade and much more !
Cons
You will need a windows server to implement the above since you need mage.exe | your-own-.NET-code-signing-application and Msistuff.exe.
You may have minor performance issues since you are performing validation on every file request. You can choose to skip validation on .manifest and .deploy file requests.
You will have to ensure proper security for companies certificate which will be present on the web server for signing (You can store it on the server local file-system if you have the full server to yourself. In that case, it is fine unless somebody breaks into machine itself !)
If you want me to make something clear or explain in detail, feel free to ask. In case you have suggestions for modification to the above, post that too.
I will write a detailed CodeProject article if I have spare time someday.