locked
UAG 2010 exposing Detailed Error Information - 403.14 Forbidden RRS feed

  • Question

  • Hello,

    I am troubleshooting a weird security issue where UAG is exposing internal URLs and physical paths.

    My customer did a vulnerability scan of UAG portal and they could not find any flaws except one weird one, related to this vulnerability - OWASP-CM-006.

    When I access the portal using the URL like this: https://portal.some.url/internalsite/ I would get the following error:

    Now, this is clearly exposing the internal configuration of application, being UAG in this case. This security vulnerability is characterized as "Medium or low risk", but I would like to see it solved.

    I did some digging and I discovered that if you type some URL that is listed on the "URL list" tab on the "Advanced trunk configuration" window, you would always get this message.  For example, if I type https://portal.some.url/internalsite/favicon.ico I would get the similar message because there is rule (/internalsite/favicon\.ico) that allows this URL. But, in contrary to the first example (https://portal.some.url/internalsite/), if I type: "https://portal.some.url/internalsite" (notice that there is no leading backslash, I would get the expected UAG message "You have attempted to access a restricted URL".

    The weird thing is that this "Detailed Error Information" should only appear if someone accesses the IIS web site from local host and when someone remotely accesses the URL he should only get the HTTP error response code, being 403.14 in this case.

    Now, how to show only HTTP error response code, and even better, how to show "You have attempted to access a restricted URL" without breaking the UAG portal?

    Thanks,

    Dinko

     

    Thursday, August 11, 2011 12:52 PM

Answers

  • Thanks Ran.

    I've thought that something like this was the case, but thank you for describing it in more detail.

    I have now managed to hide the internal paths by editing the ApplicationHost.config file. I've added the following line:

        <location path="Default Web Site/InternalSite">
            <system.webServer>
               <httpErrors errorMode="Custom" />
                <defaultDocument enabled="true">
                    <files>
                        <clear />
                        <add value="Default.htm" />
                        <add value="Default.asp" />
                        <add value="index.htm" />
                        <add value="index.html" />
                        <add value="iisstart.htm" />
                        <add value="default.aspx" />
                    </files>
                </defaultDocument>
                <directoryBrowse enabled="false" showFlags="Date, Time, Size, Extension" />
            </system.webServer>
        </location>

    This effectively disabled display of full error details. "Custom" actually means:

    "Replaces the error that the module or server generates with a custom page that you specify. This mode is useful in providing friendlier error messages to end users.

    Note: This setting turns off detailed errors, even for local requests."

    Now the webpage returned looks like this:

    But what if I completely wanted to hide the fact that this URL exists? I've managed to do this by replacing the error page returned in response to the 403.14 reponse code:

        <location path="Default Web Site/InternalSite">
            <system.webServer>
            <httpErrors errorMode="Custom">
                    <remove statusCode="403" subStatusCode="14" />
                    <error statusCode="403" subStatusCode="14" prefixLanguageFilePath="%SystemDrive%\inetpub\custerr" path="404.htm" />
                </httpErrors>
                <defaultDocument enabled="true">
                    <files>
                        <clear />
                        <add value="Default.htm" />
                        <add value="Default.asp" />
                        <add value="index.htm" />
                        <add value="index.html" />
                        <add value="iisstart.htm" />
                        <add value="default.aspx" />
                    </files>
                </defaultDocument>
                <directoryBrowse enabled="false" showFlags="Date, Time, Size, Extension" />
            </system.webServer>
        </location>

    Now when I access that URL I receive the following message:

    404 - File or directory not found.

    The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable."

     

    Which is exactly what I wanted! This solves the security issue when someone browses to the https://portal.some.url/internalsite/ because it appears as though the resource does not exist.

    Dinko




    Thursday, August 11, 2011 7:51 PM

All replies

  • Same here, how big of a secuirty issue is this?
    Thursday, August 11, 2011 1:05 PM
  • The weird thing is that this "Detailed Error Information" should only appear if someone accesses the IIS web site from local host and when someone remotely accesses the URL he should only get the HTTP error response code, being 403.14 in this case

     

    Thanks,

    Dinko



    Hi Dinko,

    actually this is not weird at all :)

    The way UAG works is that the IIS web site representing the UAG trunk receives the HTTP requests from the internet, and then the UAG components running within the context of this web site create new HTTP requests and send them to their destination. In the case of requests that are destined to reach the InternalSite or the PortalHomePage, those too are re-sent by the trunk web site, and they are sent internally within the UAG server, to the Default Web Site, which listens on localhost:6001 (you can see this also in the screenshot that you posted here). And this is why the Default Web Site perceives these requests as local requests and provides detailed error descriptions.

    Regards,


    -Ran
    Thursday, August 11, 2011 2:10 PM
  • Thanks Ran.

    I've thought that something like this was the case, but thank you for describing it in more detail.

    I have now managed to hide the internal paths by editing the ApplicationHost.config file. I've added the following line:

        <location path="Default Web Site/InternalSite">
            <system.webServer>
               <httpErrors errorMode="Custom" />
                <defaultDocument enabled="true">
                    <files>
                        <clear />
                        <add value="Default.htm" />
                        <add value="Default.asp" />
                        <add value="index.htm" />
                        <add value="index.html" />
                        <add value="iisstart.htm" />
                        <add value="default.aspx" />
                    </files>
                </defaultDocument>
                <directoryBrowse enabled="false" showFlags="Date, Time, Size, Extension" />
            </system.webServer>
        </location>

    This effectively disabled display of full error details. "Custom" actually means:

    "Replaces the error that the module or server generates with a custom page that you specify. This mode is useful in providing friendlier error messages to end users.

    Note: This setting turns off detailed errors, even for local requests."

    Now the webpage returned looks like this:

    But what if I completely wanted to hide the fact that this URL exists? I've managed to do this by replacing the error page returned in response to the 403.14 reponse code:

        <location path="Default Web Site/InternalSite">
            <system.webServer>
            <httpErrors errorMode="Custom">
                    <remove statusCode="403" subStatusCode="14" />
                    <error statusCode="403" subStatusCode="14" prefixLanguageFilePath="%SystemDrive%\inetpub\custerr" path="404.htm" />
                </httpErrors>
                <defaultDocument enabled="true">
                    <files>
                        <clear />
                        <add value="Default.htm" />
                        <add value="Default.asp" />
                        <add value="index.htm" />
                        <add value="index.html" />
                        <add value="iisstart.htm" />
                        <add value="default.aspx" />
                    </files>
                </defaultDocument>
                <directoryBrowse enabled="false" showFlags="Date, Time, Size, Extension" />
            </system.webServer>
        </location>

    Now when I access that URL I receive the following message:

    404 - File or directory not found.

    The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable."

     

    Which is exactly what I wanted! This solves the security issue when someone browses to the https://portal.some.url/internalsite/ because it appears as though the resource does not exist.

    Dinko




    Thursday, August 11, 2011 7:51 PM
  • Ran (or anyone at MSFT) can you confirm if doing this is within the support boundaries for UAG?

    Thanks

    Wednesday, April 18, 2012 11:25 AM
  • Also, incidentally I believe the detailed error is due to the call from UAG being an internal 'loopback' call to localhost so triggering IIS to think it is a local call - and by default on UAG boxes local calls get detailed errors ((whereby remote requests get custom errors).  By forcing all errors to custom it will hide the detailed error.
    Wednesday, April 18, 2012 11:46 AM