Hello BClink,
Your post work for me...
customerreports.aspx was working at my local PC.but when i check that page on Server it shows the error.
Then i try your advice to upload local web.config and it solve my error.
Thanks a Lot...
Cheers!
Help need on POST and GET errors V1.8
- 3
- 15
- 11/15/2010
- United States
RE: Help need on POST and GET errors V1.8, 1.9 and the ramifications of any security changes to work around any issue.
Great! I am glad my post helped! So you know, V2 has a feature to delete the report files that build up over time as you run reports. So, if you have it set to write them to a file in previous versions and don't have an excess of filespace, you may want to make yourself a reminder to periodically delete them manually with FTP. Or, If you are a whizbang coder, you can write your own plug in to iterate the directory and delete them when the file is more than an hour, day week old etc. You can then tell it to instantly delete any files with a "bad" extension just in case someone tries to drop a file that is harmful via access to the writable folder. You may want to wait a bit before implementing until you understand fully the new framework.
In the time that has passed since my original post on NOT GIVING FULL ACCESS RIGHTS to the Root, I actually had one new customer who's server (I manage it since the incedent) was entirely compromised by a former employee (recently terminated) who knew one password that was not changed after his leaving. He was able to use a newly discovered exploit to write a file and then call it to grant rights elevation and then could access the entire site, including database connection strings and passwords. It WAS NOT A NOPCOMMERCE SITE and fortunately because of other configurations, they were not able to access the database direct.
To prevent this if you have the capability to do so, consider paying the extra price to have a dedicated hosted box that will allow you to have full admin capability. USE SSL and configure the Firewall to block any inbound SQL connections except the specific IP on a case by case basic for any comp that needs access to the db for read only access to the DB should you use MS Access or Excel to create an interface to the backend data. Or better yet, don't grant Public access at all. Also, configure SQL to only allow from the server IP and make sure that capture is not on in PayPal and other credit Card processing. If you use manual processing maintaining this level of security is paramount to preventing your customers data from ending up on hackers websites.
The NopCommerce Dev team does a great job of making sure that the programming creates a secure system so this IS NOT a vulnerability in NopCommerce, it is a general vulnerability/risk on any site that is connected to the Internet direct. The most secure app running on a "loose" server or connecting to a "loose" DB server is wide open.
IMPORTANT! Being a top of the line developer does not always mean having full understanding of security, However, if you assume that any server you are loading a site on has been compromised already and take the steps to find out how, you will discover things like "Unowned" FTP access, Old system logins DB users that are no longer with the company and O/S-tools, without proper patches. That is the nature of why the more skilled developers end up with work. Assume that the guy before you was an idiot, even if you know them, and secure the box BEFORE you load your app on it. Set the proper logging to catch indications of hack attempts. Hello Morpheus, no I don't have Perl installed! Check logs frequently, and let the customer know instantly if you find something that indicates the system was compromised or left vulnerable. Doing this prevents you from becomming the next idiot on the list!
I watched a 12 year old kid totally shred a team of 50 yr old network security admins Linux boxes in Vegas a few days ago. These Admin, runs systems for a number of high visability targets and were stunned at how fast the kid dueled them. The kid, saw a "nickname" on a nametag (and no, I never use my chat nick for a login) and used that one peice of information to guess his login name. Before making any changes that loosen security as a work around to a problem, research the problem. With Linux, you should validate the information has come from source that isn't actually trying to compromise your box like a 14 yr old kid. With Windows systems, search for the error message on MSDN and always remember, something as simple as posting a fix in a blog, can give a hacker an idea on how to open the attack surface on your systems. Example: I fixed the error message at my site http://nowmyboxisvulnerable.com by granting full access to everyone in the world, it works now! You should try it!
If you need any further assistance with making sure you have the maximum security on your site feel free to reply. I will start a thread on Security on the systems your NopComemrce install runs on, in the future, as soon as I get done trying to punch holes in V2.0. If you see anything in my posts that indicate I have not considered something that may be a more secure way to solve a problem, let me know. I can take advice from a 14 year old, now that I have seen hundreds of them running seasoned experts in circles and winning.
Recommendations from the 14 yr old:
1. Change FTP and other access passwords often "yeah, so change it in SQL, and the web config, and the sites admin, but make sure you use encryption on your FTP, Http and SQL connections or I can see it in plain text in Wireshark". "If you are not willing to do the work to change them, you WILL GET HACKED"
2. What would you do to secure a server? "I would delete every login but mine, and lock it down to the point that I have to unlock it to make a change and then re lock it".
3. He told me to check and recheck security on all my systems and said "The RFID in your credit card has your last name Mr. ***************** and your phones blutooth is on and has the default device password, you have two unread texts and 1 voicemail, and I have no doubt I can compromise your systems given your lax security with those items". "Check yourself!". I did, I had no nametag on, and his information was correct. Apparently the little box his headphones were in was not just an mp3 player.
4. "Security should NOT be assumed, if you want to be secure".
Quote from Red-vs-Blue: "You set your password to password?", "Yeah, it's so obvious who would guess it?"
Good luck campers, the bears are getting even!
Great! I am glad my post helped! So you know, V2 has a feature to delete the report files that build up over time as you run reports. So, if you have it set to write them to a file in previous versions and don't have an excess of filespace, you may want to make yourself a reminder to periodically delete them manually with FTP. Or, If you are a whizbang coder, you can write your own plug in to iterate the directory and delete them when the file is more than an hour, day week old etc. You can then tell it to instantly delete any files with a "bad" extension just in case someone tries to drop a file that is harmful via access to the writable folder. You may want to wait a bit before implementing until you understand fully the new framework.
In the time that has passed since my original post on NOT GIVING FULL ACCESS RIGHTS to the Root, I actually had one new customer who's server (I manage it since the incedent) was entirely compromised by a former employee (recently terminated) who knew one password that was not changed after his leaving. He was able to use a newly discovered exploit to write a file and then call it to grant rights elevation and then could access the entire site, including database connection strings and passwords. It WAS NOT A NOPCOMMERCE SITE and fortunately because of other configurations, they were not able to access the database direct.
To prevent this if you have the capability to do so, consider paying the extra price to have a dedicated hosted box that will allow you to have full admin capability. USE SSL and configure the Firewall to block any inbound SQL connections except the specific IP on a case by case basic for any comp that needs access to the db for read only access to the DB should you use MS Access or Excel to create an interface to the backend data. Or better yet, don't grant Public access at all. Also, configure SQL to only allow from the server IP and make sure that capture is not on in PayPal and other credit Card processing. If you use manual processing maintaining this level of security is paramount to preventing your customers data from ending up on hackers websites.
The NopCommerce Dev team does a great job of making sure that the programming creates a secure system so this IS NOT a vulnerability in NopCommerce, it is a general vulnerability/risk on any site that is connected to the Internet direct. The most secure app running on a "loose" server or connecting to a "loose" DB server is wide open.
IMPORTANT! Being a top of the line developer does not always mean having full understanding of security, However, if you assume that any server you are loading a site on has been compromised already and take the steps to find out how, you will discover things like "Unowned" FTP access, Old system logins DB users that are no longer with the company and O/S-tools, without proper patches. That is the nature of why the more skilled developers end up with work. Assume that the guy before you was an idiot, even if you know them, and secure the box BEFORE you load your app on it. Set the proper logging to catch indications of hack attempts. Hello Morpheus, no I don't have Perl installed! Check logs frequently, and let the customer know instantly if you find something that indicates the system was compromised or left vulnerable. Doing this prevents you from becomming the next idiot on the list!
I watched a 12 year old kid totally shred a team of 50 yr old network security admins Linux boxes in Vegas a few days ago. These Admin, runs systems for a number of high visability targets and were stunned at how fast the kid dueled them. The kid, saw a "nickname" on a nametag (and no, I never use my chat nick for a login) and used that one peice of information to guess his login name. Before making any changes that loosen security as a work around to a problem, research the problem. With Linux, you should validate the information has come from source that isn't actually trying to compromise your box like a 14 yr old kid. With Windows systems, search for the error message on MSDN and always remember, something as simple as posting a fix in a blog, can give a hacker an idea on how to open the attack surface on your systems. Example: I fixed the error message at my site http://nowmyboxisvulnerable.com by granting full access to everyone in the world, it works now! You should try it!
If you need any further assistance with making sure you have the maximum security on your site feel free to reply. I will start a thread on Security on the systems your NopComemrce install runs on, in the future, as soon as I get done trying to punch holes in V2.0. If you see anything in my posts that indicate I have not considered something that may be a more secure way to solve a problem, let me know. I can take advice from a 14 year old, now that I have seen hundreds of them running seasoned experts in circles and winning.
Recommendations from the 14 yr old:
1. Change FTP and other access passwords often "yeah, so change it in SQL, and the web config, and the sites admin, but make sure you use encryption on your FTP, Http and SQL connections or I can see it in plain text in Wireshark". "If you are not willing to do the work to change them, you WILL GET HACKED"
2. What would you do to secure a server? "I would delete every login but mine, and lock it down to the point that I have to unlock it to make a change and then re lock it".
3. He told me to check and recheck security on all my systems and said "The RFID in your credit card has your last name Mr. ***************** and your phones blutooth is on and has the default device password, you have two unread texts and 1 voicemail, and I have no doubt I can compromise your systems given your lax security with those items". "Check yourself!". I did, I had no nametag on, and his information was correct. Apparently the little box his headphones were in was not just an mp3 player.
4. "Security should NOT be assumed, if you want to be secure".
Quote from Red-vs-Blue: "You set your password to password?", "Yeah, it's so obvious who would guess it?"
Good luck campers, the bears are getting even!