Security: information leakage when garbage passed in URL query

[scottliddick]

Here are some example URLs that triggered information leakage within error messages because input is not sanitized:

http://some.site.com/dependencyHandler.axd?s=/../../../../../../../../../../../../../../../../../../../../../Windows/system.ini&t=Javascript&cdv=1511894432
http://some.site.com/DependencyHandler.axd?s=L0xha2VQb3dlbGwvU2l0ZUJhc2UvVGhlbWVzL0NvbW1vbi9TY3JpcHRzL2pxdWVyeS9qcXVlcnktMS4xMS4zLmpzOy9MYWtlUG93ZWxsL1NpdGVCYXNlL1RoZW1lcy9Db21tb24vU2NyaXB0cy9ib290c3RyYXAtMy4zLjUvZGlzdC9qcy9ib290c3RyYXAuanM7L0xha2VQb3dlbGwvU2l0ZUJhc2UvVGhl
http://some.site.com/DependencyHandler.axd?s=whscheck&t=Javascript&cdv=1511894432
http://some.site.com/DependencyHandler.axd?s='&t=Javascript&cdv=1511894432

This will be problematic when an organization is required to perform security scans and these types of unhanded exceptions get flagged for Umbraco-backed sites.

[Shazwazza]

What information leakage are you referring to? What CDF version are you using?

Generally speaking for any production website you should not have `customErrors mode="Off" so that any YSODs that occur don't show any information at all.

In my tests with the above URLs, the only information returned are the errors that these invalid paths create, i'm not sure what sensitive information is being leaked?

[scottliddick]

I apologize for this premature issue report. I have since realized the scan was performed against a pre-prod site instance where customErrors were turned off and debug symbol files were deployed. The customer's production site is unaffected. Closing this as not an issue.