Post by stormforce5 on Jul 24, 2015 14:11:14 GMT -5
How do I stop the RB server giving out errors if you specify an invalid URL..... especially as this displays your installation folder etc,etc which gives a medium risk error on penetration tests... such as
tenbridge.co.uk/test - gives
Application Error
A fatal error has occurred in this application. Please contact this site's administrator.
ERROR_FILE_NOT_FOUND ("d:\rbp101\public\test")
also need to prevent the echo statement disclosing information about the RB server to anyone on the internet...
tenbridge.co.uk/echo (used to display the below, I use IIS now to trap /echo and block it but if you're not using IIS then you get the below displayed to a hacker or anyone!!, I've removed my personal IP's with x.x.x. *** removed ***)
Echo Information
Environment Variables
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
REQUEST_METHOD: GET
SERVER_PORT: 81
HTTP_X_ORIGINAL_URL: /echo
X_FORWARDED_FOR: ::2:50358
SERVER_PROTOCOL: HTTP/1.0
HTTP_CONNECTION: Keep-Alive
HTTP_MAX_FORWARDS: 10
REMOTE_ADDR: 192.x.x.x *** removed ***
X_ARR_LOG_ID: fd5f2e4a-4d9f-47d5-90f8-1c3b6ed5fd9d
GATEWAY_INTERFACE: HTTP/1.0
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
HTTP_X_ARR_LOG_ID: fd5f2e4a-4d9f-47d5-90f8-1c3b6ed5fd9d
HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.8
HTTP_ACCEPT_ENCODING: gzip, deflate, sdch
HTTP_HOST: 192.x.x.x *** removed ****
SERVER_SOFTWARE: Run BASIC
X_ORIGINAL_URL: /echo
PATH_INFO: /echo
SERVER_NAME: localhost
HTTP_X_FORWARDED_FOR: ::2:50358
Service Description
a VisualWave.WaveHTTPRequestBroker on host localhost port 81
I use IIS as a front end to url rewrite to RB server( so I can have SSL working on RB)....
I can stop the /echo bit but these 2 problems cause Runbasic to give 'Medium Risk' alerts on external penetration tests..
this means RunBasic is giving to much info away to hackers etc,etc
What can be done ??
help please
tenbridge.co.uk/test - gives
Application Error
A fatal error has occurred in this application. Please contact this site's administrator.
ERROR_FILE_NOT_FOUND ("d:\rbp101\public\test")
also need to prevent the echo statement disclosing information about the RB server to anyone on the internet...
tenbridge.co.uk/echo (used to display the below, I use IIS now to trap /echo and block it but if you're not using IIS then you get the below displayed to a hacker or anyone!!, I've removed my personal IP's with x.x.x. *** removed ***)
Echo Information
Environment Variables
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
REQUEST_METHOD: GET
SERVER_PORT: 81
HTTP_X_ORIGINAL_URL: /echo
X_FORWARDED_FOR: ::2:50358
SERVER_PROTOCOL: HTTP/1.0
HTTP_CONNECTION: Keep-Alive
HTTP_MAX_FORWARDS: 10
REMOTE_ADDR: 192.x.x.x *** removed ***
X_ARR_LOG_ID: fd5f2e4a-4d9f-47d5-90f8-1c3b6ed5fd9d
GATEWAY_INTERFACE: HTTP/1.0
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36
HTTP_X_ARR_LOG_ID: fd5f2e4a-4d9f-47d5-90f8-1c3b6ed5fd9d
HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.8
HTTP_ACCEPT_ENCODING: gzip, deflate, sdch
HTTP_HOST: 192.x.x.x *** removed ****
SERVER_SOFTWARE: Run BASIC
X_ORIGINAL_URL: /echo
PATH_INFO: /echo
SERVER_NAME: localhost
HTTP_X_FORWARDED_FOR: ::2:50358
Service Description
a VisualWave.WaveHTTPRequestBroker on host localhost port 81
I use IIS as a front end to url rewrite to RB server( so I can have SSL working on RB)....
I can stop the /echo bit but these 2 problems cause Runbasic to give 'Medium Risk' alerts on external penetration tests..
this means RunBasic is giving to much info away to hackers etc,etc
What can be done ??
help please