security issue on error page with ASP code

Discussion in 'ASP General' started by Pharoh, Jul 10, 2006.

  1. Pharoh

    Pharoh Guest

    I've inherrited an application that I have to both support and maintain
    here at work but it comes with one very big headache...

    The employees who use it are not allowed access to the server it's
    requried to sit on which means that my username and password have to be
    included in the logon.asp page which I HATE! So when this fails, it
    publishes my usernanme and password on the screen for the user to
    see...brilliant!

    Since nobody is willing to create a dummy account is there a way that I
    can keep that line of code from displaying if in error? I've added the
    code to this thread...

    thanks!!

    <authentication mode="Windows"/> Line 44: <!--<identity
    impersonate="true"/>--> Line 45: <identity impersonate="true"
    userName="########" password="########"/>
     
    Pharoh, Jul 10, 2006
    #1
    1. Advertising

  2. Pharoh wrote:
    > I've inherrited an application that I have to both support and
    > maintain here at work but it comes with one very big headache...
    >
    > The employees who use it are not allowed access to the server it's
    > requried to sit on which means that my username and password have to
    > be included in the logon.asp page which I HATE! So when this fails, it
    > publishes my usernanme and password on the screen for the user to
    > see...brilliant!
    >
    > Since nobody is willing to create a dummy account is there a way that
    > I can keep that line of code from displaying if in error? I've added
    > the code to this thread...
    >
    > thanks!!
    >
    > <authentication mode="Windows"/> Line 44: <!--<identity
    > impersonate="true"/>--> Line 45: <identity impersonate="true"
    > userName="########" password="########"/>


    This looks like an extract from a web.config file, so you're not talking
    about ASP: you are talking about ASP.Net:

    There was no way for you to know it (except maybe by browsing through
    some
    of the previous questions before posting yours - always a recommended
    practice), but this (I am posting this via .inetserver.asp.general) is
    a classic asp newsgroup.
    ASP.Net is a different technology from classic ASP.
    While you may be lucky enough to find a dotnet-savvy person here who
    can
    answer your question, you can eliminate the luck factor by posting your
    question to a newsgroup where the dotnet-savvy people hang out. I
    suggest
    microsoft.public.dotnet.framework.aspnet.

    The answer of course is to use Try...Catch to handle all errors and
    avoid the error page you are talking about.
    Alternatively, you should turn off detailed errors in your production
    web.config. Either:
    <customErrors mode="On" />
    or
    <customErrors mode="RemoteOnly" />


    cc and Followup-To set to microsoft.public.dotnet.framework.aspnet

    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
     
    Bob Barrows [MVP], Jul 10, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Marco
    Replies:
    1
    Views:
    2,422
    Roedy Green
    Jan 28, 2006
  2. GAH
    Replies:
    0
    Views:
    496
  3. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    155
    Dinis Cruz
    Oct 11, 2003
  4. Michael Randrup
    Replies:
    3
    Views:
    308
    Henning Krause [MVP]
    Mar 27, 2006
  5. Kursat
    Replies:
    1
    Views:
    324
    Dominick Baier
    May 7, 2007
Loading...

Share This Page