I have developed a website which contains a few pages, for example:
http://localhost:32080/PlanSummary.aspx
However, when I type /djwfjafjd or any random character or string after the aspx page, I can still access the website normally without any 404 error. (Browser still displays PlanSummary.aspx page) But it should display an error like 404 that this page does not exist.
http://localhost:32080/PlanSummary.aspx/djwfjafjd
At this point, if I click on other link on the page, for example, ProductionPlan.aspx it will navigate to http://localhost:32080/PlanSummary.aspx/ProductionPlan.aspx but browser still displays PlanSummary.aspx page.
I earlier believed that this has something to do with error handling, which I currently using httpErrors to handle 404 and 500 errors and it works perfectly. I tested it by accessing http://localhost:32080/PlanSummaryxxxxxx.aspx and it redirected me to "friendly" not found website that I created.
Right now I really don't know what is the cause of this problem. Please let me know if I need to provide more information.
Related
I have been wracking my brain around things that might reveal the server IP of a hosted solution. I came across the following as per the pen tester report.
Notes on the screenshot:
I have blurred out the website URL
The highlighted says: default.aspx
The server IP is shown as seen in rectangle box in the screenshot.
Contents of default.apsx(The highlighted filename in screenshot)
<%# Page language="c#" Codebehind="default.aspx.cs" AutoEventWireup="True" Inherits="umbraco.UmbracoDefault" trace="true" validateRequest="false" %>
My question:
As per MSDN for this issue, I am suspecting that the attribute trace="true" is giving away the IP.
Could that be giving away the IP?
Also, would that affect the logging that is present in the code if I switch it to false?
Note: As a developer I am not allowed access to debug this issue in Production, so this is one of those instances where I have to work on instincts and suspicions.
Update:
I do see one line of code in another file, though I investigated that it should not return hardcoded IPs. But let me know if you think if removing this can be a solution. This is part of the Page_Load function
Response.AddHeader("REFRESH", "0; URL=https://" + Request.ServerVariables["SERVER_NAME"] + Request.ServerVariables["PATH_INFO"] + (strQueryString == "" ? "" : "?" + strQueryString));
I was able to find 2 solutions to this problem. I would like to post it here in case it would help someone in future.
Code side solution
It turns out the trace=true was the culprit here. Based on the documentation here, thanks to #user2864740 I tried to change it back to false and it stopped the trace.
Server-side solution
Additionally, we can also disable trace messages altogether in Production using an entity in IIS - Request Filtering
Disable HTTP TRACK and TRACE
In order to disable the HTTP TRACK verb, please follow the instructions below. This vulnerability might be flagged because of allowing HTTP TRACE verb as well so that It’s a good idea to disable both.
Go to IIS Manager
Click the website name
Double click “Request Filtering” (If you don’t see Request Filtering icon, please install it)
Go to “HTTP Verbs” tab
Click “Deny Verb” from the Actions menu. Type “TRACE”. Click “OK”
Click “Deny Verb” from the Actions menu. Type “TRACK”. Click “OK”
Testing
If you want to test if this setting works, you can try to send a TRACE request to IIS via telnet. If it fails with 404 code, it means this request is blocked. Steps to test the setting:
In your client machine, open Command Prompt
Type telnet 80
Type the text below. Continue to enter characters even though the window won’t show what you are typing
TRACE / HTTP/1.1
Host: websitedomain.com
HostA: Hello
Hit Enter twice
If it shows HTTP/1.1 404 Not Found, it means the setting is working. TRACE is disabled:
If it shows HTTP/1.1 200 OK, it means the setting is not working. TRACE is allowed:
The only downside to this method is you won't see any trace messages at all. So if that seems to be a concern you should go with code side solution.
I want to redirect to error page when http error occurs in my web site and it is working well in locally but in live site returns messages instead of default redirection.
i use following code part in web config
enter image description here
Remove existingResponse='replace' other wise follow below link
Error Solution
visible
I am getting the following error in the page and the page isn't redirecting properly .
Firefox has detected that the server is redirecting the request for
this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies.
Error is generated when I open login page on two tab of same browser
and logging in by first tab and when I am try to logging in second
tab that time i am getting this error message.
Can someone help me to fix this error? i want to solve this error by asp.net, c#.
To solve this problem there is no need to delete all of your cookies, simply delete the ones associated with your google and youtube accounts. Here's how:
- Click Tools/Options/Privacy
- Click "Remove Individual Cookies"
- In the Cookies Window type "accounts" (no quotes) into the Search box
I have my app that is creating an XML File with XMLTextWriter class in ASP .Net C#. I create a nicely formed xml file, then spit out a link for the user. When I click on the link, I recieve an error saying that Page cannot be displayed:
"HTTP Error 405 - The HTTP verb used to access this page is not allowed."
However, at this point I place my cursor in the adress bar of the browser, and hit enter and Viola!, my nice xml file is displayed.
Why does it take an enter, in order to make my browser behave.
What can I do to to correct this so that when we click on the link the xml file displays without needing the extra enter in the browser address bar?
I went into my web server already and added the XML mime type to the registered mim types at the web server level.
I am wondering what could be the problem?
From the error message it seems there is something wrong with the link you are using.
View the source from your browser and verify that the tag is pointing to the correct location. Also, make sure it is only pointing to the one document and not doing anything else like calling javascript functions or posting back.
Two aspx pages are involved with the problem. in one form I am collecting the entity and binding it in a session variable and then with button clicked, I am trying to get to the other aspx page with response.redirect("") method. But, the problem is its gives me an error message with a strange URl.
let me show you the code I have writen
formSaleMoneyReceiptEntity = ViewFormSaleMoneyReceipt_DAO.GetMoneyReceiptByFormSL(formSl);
Session["MoneyReceipt"] = formSaleMoneyReceiptEntity;
Response.Redirect("~/Reports/MoneyRepeiptFormReport.aspx",false);
I am using local host and the URl I am getting is that
http://www.google-feed.net/results.php?q=localhost 5808 StudentManagement FormSaleMoneyReceipt aspx &cx=002904446094441487865%3Ate-nlsbrcdy&cof=FORID%3A10&ie=UTF-8&said=&do=search&empty=0&from=2&CID=1
why is this so? I don't have any idea. Please help me out.
It looks like the URL that is passed to the browser doesn't exist, so you're getting a redirect to a Google search page instead.
Is it ~/Reports/MoneyReceiptFormReport.aspx by any chance?
A good tool to use to debug this kind of situation is Fiddler. This sits as a proxy between your Web server and your browser and issues a trace of what requests and responses are made. Browsers have a habit of reformatting error messages, Fiddler will show you exactly what's sent to the server and what comes back.