locked
Lync IIS application pool support for ASP.net v. 4 RRS feed

  • Question

  • We are trying to fix the following PCI vulnerabilit

    Microsoft ASP.NET ValidateRequest Filters Bypass Cross-Site Scripting Vulnerability

     

    The current workaround for this issue is as follows:

    In web.config, in the <system.web> section, add:

    <httpRuntime enableVersionHeader="false"

    However,the external website does not contain thesystem.web section. If we add it there, the site breaks.

    Two questions:

    1. What is the best way to fix this vulnerability? Can we add this header somewhere else?

    2. Can we update the application pool in IIS to ASP.net 4 from 2.0? According to our security team that will fix the problem as well.

    Any help is greatly appreciated. Thank you.

    Friday, June 22, 2012 5:00 PM

Answers

  • Hi,

    Please post your question to lync MSDN forum that you can get more help:

    http://social.msdn.microsoft.com/Forums/en-US/category/uc


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Tuesday, June 26, 2012 7:32 AM
    Moderator