timorris / elmah

Automatically exported from code.google.com/p/elmah
Apache License 2.0
0 stars 0 forks source link

Update NuGet packages with more secure registration of handlers #270

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

1. Start Visual Studio 2010
2. Add a new ASP.NET Web Application project
3. Using NuGet, add the elmah[1] package (v1.2.0.1 at the time of this 
reporting)
4. Build the solution
5. Navigate to elmah.axd under the web application root to get the error log 
display
6. Navigate to foobar/elmah.axd under the web application root

What is the expected output? What do you see instead?

Expected step 6 to produce a 404. Instead, the error log is displayed.

The registered path for the handler (i.e. elmah.axd in the default 
configuration) should be the only way to reach the error log display and feeds. 
Having more than one path requires more work and care to secure using built-in 
authorization mechanisms, especially when remote access is enabled. The default 
configuration should be updated according the newer[2] guidelines found at the 
SecuringErrorLogPages wiki[3] so as to enable users to fall into the "pit of 
success".

For more background, see:
ASP.NET session hijacking with Google and ELMAH
http://www.troyhunt.com/2012/01/aspnet-session-hijacking-with-google.html

[1] http://nuget.org/packages/elmah
[2] 
http://code.google.com/p/elmah/source/detail?r=44eb2e16fe7bd19d4ca8eb9cd863110e5
8de86b6&repo=wiki
[3] http://code.google.com/p/elmah/wiki/SecuringErrorLogPages
[4] http://blogs.msdn.com/b/brada/archive/2003/10/02/50420.aspx

Original issue reported on code.google.com by azizatif on 18 Jan 2012 at 7:05

GoogleCodeExporter commented 9 years ago
James, my clone for this issue can be found at:
http://code.google.com/r/azizatif-elmah-pkg-i270/
Reviews are enabled and it includes changes from:
http://code.google.com/r/jamesdriscoll71-security/

Original comment by azizatif on 18 Jan 2012 at 6:45

GoogleCodeExporter commented 9 years ago
Pulled changesets from clones:
http://code.google.com/r/azizatif-elmah-pkg-i270/
http://code.google.com/r/jamesdriscoll71-security/

Original comment by azizatif on 6 Mar 2012 at 9:14