Tag Archives: Security

Security Tag

AntiVirus Software Review Product Comparisons

\r\n

Antivirus Software review

\r\n

\r\n

Why Buy Antivirus Software?

\r\nToday, an unprotected computer isn’t just vulnerable, it’s probably already infected. New viruses, spyware, trojans, worms, and other malware are created every day. New threats are disguised to bypass other security measures, and specifically designed to catch you and your PC off guard.\r\n\r\nThe virus landscape has also changed; viruses that used to be annoying pranks have evolved into pernicious threats capable of not only destroying your computer, but stealing your information and identity.\r\n\r\nThe benefits of installing a basic security solution on your PC are obvious, but the cost in system slowdown used to make it tough to bear. Luckily, modern antivirus software haven’t just improved their level of protection, they’ve significantly improved resource efficiency and overall speed. You can have ultimate protection without giving up your resources. With advanced technologies and straightforward usability, antivirus software is more effective than ever, and doesn’t require constant maintenance from you. Say goodbye to annoying security warnings and noticeable slowdown; current antivirus programs deliver constant protection and can actually speed up your computer.\r\n\r\nThe last generation of antivirus software brought advanced heuristic detection into the mix. Continuing to improve, the 2011 lineup of antivirus products often incorporate further developed proactive protection with better behavior checking and even file reputation analysis. Several of the software incorporate ‘in the cloud’ security and other advanced technologies to increase safety and convenience. From gamer modes, to battery saving settings, to integrated web link scanners; antivirus applications are more versatile and have upped the ante for features and functionality.\r\n\r\nOn antivirus software review site you’ll find a side-by-side comparison of the best antivirus software, helpful articles on computer security, security tips and tricks, buying guides, videos, and comprehensive reviews to help you make an informed decision on which security software is right for you.\r\n

\r\n

What to Look For in Antivirus Software

\r\nAll security software is not created equal. Like all consumer products, antivirus software has the good, the bad, and the mediocre. The choices for antivirus protection are many and varied. Although we haven’t reviewed each and every product available, we feature the absolute best antivirus software available today from a number of providers (including big-hitters, lesser-knowns, and new-comers), and compare them so you can match your needs with the right software.\r\n\r\nRemember when it really comes down to it, effectiveness and usability can either make or break antivirus software. Security programs are only as good as their level of protection, and if you can’t figure out how to use it, you won’t. Our top-ranked antivirus software combine optimal security with user-friendly features and tools.\r\n\r\nBelow are the criteria TopTenREVIEWS uses to evaluate and compare antivirus software:\r\n\r\nScope of Protection\r\nWhile most security solutions tout “multi-layered” protection, “360 degree” defense and/or even “100%” security, some are certainly more thorough than others. The best antivirus solutions will include traditional protection from viruses, worms, Trojans and spyware, but should also include defense from keyloggers, phishing scams, email-borne threats and rootkits. While antivirus programs are by no means full-blown internet security suites, they should protect from as many threats on as many fronts as they can.\r\n\r\nEffectiveness\r\nAntivirus is specifically designed to protect your computer, so if it doesn’t do that well, what good is it? All the features, bells and whistles, or sleek interface can’t make up for poor performance. We look at results from the industry-standard security software testers and professional security organizations to find the most effective software available and evaluate overall effectiveness. In general, our highest ranked programs are also the most effective.\r\n\r\nEase of Installation and Setup\r\nSecurity software shouldn’t be a chore to install, and should have you protected as soon as possible. From download to install, to the first scan; implementing antivirus software should be quick and easy.\r\n\r\nEase of Use\r\nAntivirus software is complex stuff, but shouldn’t require a degree in computer security. The best security programs have all the features security experts want, but are just as easily used by a beginner. Everyday computer users want a security solution that they can install and forget about; software that doesn’t require constant maintenance or have annoying interruptions. The best antivirus software is flexible enough to do exactly what you want to (even if that means running by itself).\r\n\r\nFeatures\r\nA well-rounded feature set takes a security solution from good to great. More than bells and whistles, added features provide security, usability and performance benefits.\r\n\r\nUpdates\r\nSecurity software is only as good as its latest update. Viruses are being identified and added to signature databases all the time, so it’s important that your virus definition list updates accordingly. Modern antivirus software are equipped with automatic updates that perform regularly enough that you get faster updates that don’t slow down your system. The best security providers even “push” updates to you as soon as they’re available.\r\n\r\nHelp & Support\r\nThe best software doesn’t require reading an in-depth manual to use, but still has one available. For specific questions, troubleshooting, and additional help, the best antivirus manufacturers provide superior product support online and off. Additional support for software may come in the form of assistance over the phone, email, live chat, or through a number of additional resources (knowledgebase, FAQs, tutorials).\r\n\r\nA well-balanced antivirus solution is effective, efficient, and easy to use. Combining all the right features with a usable interface; our top antivirus software choices deliver the best security and usability without a serious investment in time, money, or system resources.

Worm or Virus – What is the Difference?

\r\n\r\nEveryone has been infected with a virus at one time or another either through the common cold or the flu. A virus attacks the human body by entering through one of the many openings and attaching itself to a host cell. It releases a piece of genetic information into the cell and recruits the cell’s enzymes to propagate the genetic information. Once the genetic code has been adequately replicated, it destroys the cell and attacks cells nearby.\r\n\r\nHow does a computer virus simulate a biological virus? Just as a biological virus injects its own genetic information into a cell and interferes with the body’s normal operations, a computer virus is a program written to interfere with the proper functioning of a computer. It may damage programs, delete files, reformat hard disks and perform other forms of destructive acts.\r\n\r\nTo be classified as a virus, a program must meet two criteria. It must be able to execute itself by placing its own code in the execution path of another program. The program must also be able to replicate itself by replacing existing computer files with copies of the virus-infected files. Similar to the way a biological virus requires a host cell, a computer virus requires an infected host file to propagate itself.\r\n\r\nViruses have become the villains of the computer world, propagating themselves and destroying everything in their path. However, another tool of destruction, known as the worm, has been creeping into the computer industry. Most of us have heard of the dreaded Blaster worm that attacks Microsoft websites, but what exactly is a worm and how does it differ from a virus? Actually, a worm is a type of virus that attacks the computer in a method differing from the way a typical virus attacks a computer. Unlike the typical virus, the worm does not require a host program to propagate. A worm enters a computer through a weakness in the computer system and propagates itself using network flaws.\r\n\r\nThe typical virus requires activation through user intervention, such as double clicking or sending outgoing email. However, a worm releases a document containing the “worm” macro and sends copies of itself to other computers through network flaws, therefore bypassing any need for user intervention.\r\n\r\nSo, what can you do to protect your computer from virus infection? There are a number of preventative measures that you can take. For example, you can purchase and continually update virus scan software. Make sure that this software contains the “real-time” scanning feature which monitors all incoming and outgoing mail. You may also install a firewall which prohibits unauthorized access to your computer. By installing these preventative devices, you can proactively defend against viruses.\r\n

References:

\r\nAOL.com: What’s the Difference Between Viruses, Worms, and Trojans? (2005).\r\n\r\n Phoenix. CastleCops.biz: What is the Difference Between Viruses, Worms, and Trojans? (2003.)\r\n\r\nSullivan, Rob. SearchEnginePosition.com: The Difference Between Viruses and Worms. SEP. (2004)\r\n\r\nSymantec.com: What is the Difference Between Viruses, Worms, and Trojans? Symantec Corporation. (2005).

Top Rogue Scanners to Avoid

Fake Antivirus scanners, or Rogue scanners come in many forms. Many alter the properties of your browser window to make it look like a legitimate program, when in reality, it’s just a browser window. Others, executed via active-x, script or injected via a Virus, will actually look like a running program. These programs have a single goal, and that is to trick the user into actually installing the program. Once installed, the effects range from annoying to devastating. These programs will produce false alerts telling the user that there is a virus, pornography, and other items on their computer. It then has a fix it button. Once pushed, they are directed to pay a certain amount of money for a solution that never happens.\r\n\r\nSome of these rogue programs are unusually deceiving. Programs like Antivirus 360, use the name 360 because the targeted user may believe that it is directly related to Norton 360. Others use names that lead people to believe that they are legitimate. They even go as far as using an exact replica of Microsoft’s Security center, producing an image like the one below.\r\n

\r\nNotice under “Virus Protection” there is a listing for one of the most common Rogue programs. Here, they want you to click on those buttons, ultimately obtaining your credit card and money from you, with no actual solution to your problem.\r\nHere is a list we have compiled of the Top Ten Rogue Antispyware programs to watch out for, and a description of each one and their tactics. There is actually a very long list, but here are the most commonly seen rogue programs in our experience.\r\n

    \r\n
  1. Antispyware XP 2009 – Uses a replica of the Microsoft Security Center, as pictured above. Antivirus 2009 comes in many names, including Antivirus 2008, Antivirus XP/Vista and Antivirus XP 2009, XP Antispyware 2009
  2. \r\n

  3. Antivirus 360
  4. \r\n

  5. WinCleaner 2009
  6. \r\n

  7. Malware Doctor
  8. \r\n

  9. Spyware XP Guard
  10. \r\n

  11. Spyware Remover 2009
  12. \r\n

  13. Total Protect 2009/Total Defender/Total Security
  14. \r\n

  15. Virus Shield 2009/Virus Shield Pro
  16. \r\n

  17. Windows Security Suite
  18. \r\n

  19. WinAntivirus XP/Vista
  20. \r\n

\r\nShould you come across one of these programs on your system, we highly recommend that you get it removed as quickly as possible. It has been our experience that the longer they stay on the computer, the worse the damage gets.\r\n\r\nBy: Josh Borglund, Toptenreviews

SQL Injection: How To Prevent Security Flaws In PHP / MySQL

\r\n
\r\n
\r\n
\r\n
\r\n
What is SQL Injection\r\nMost new web developers have heard of SQL injection attacks, but not very many know that it is fairly easy to prevent an attacker from gaining access to your data by filtering out the vulnerabilities using MySQL extensions found in PHP. An SQL injection attack occurs when a hacker or cracker (a malicious hacker) attempts to dump the data in a database table in a database-driven web site. In an unprotected and vulnerable site, this is pretty easy to do.\r\n\r\nSQL injection is a common vulnerability that is the result of lax input validation. Unlike cross-site scripting vulnerabilities that are ultimately directed at your site’s visitors, SQL injection is an attack on the site itself, in particular its database.\r\nThe goal of SQL injection is to insert arbitrary data, most often a database query, into a string that’s eventually executed by the database. The insidious query may attempt any number of actions, from retrieving alternate data, to modifying or removing information from the database.\r\n\r\nHow does SQL injection attack works\r\nIn order for an SQL injection attack to work, the site must use an unprotected SQL query that utilizes data submitted by a user to lookup something in a database table. The data could be from a search box, a login form or any type of query used to look up data using data input by user. It also means that querystring data used to query a database can create vulnerabilities.\r\nFor example:\r\n\r\nAn very simple unprotected query might look like this:\r\n\r\n

\r\n

\r\n

\r\n
SELECT * FROM items WHERE itemID = '$itemID'

\r\n

\r\n

Normally, you would expect a user to submit a username and password, which would be used to query the database table to see if the username and password exists. But what if someone used the following instead of a password?

\r\n

‘ OR ‘1′ = ‘1

\r\n

\r\n

\r\n

That would make the query used to look for the password look like this:

\r\n

\r\n
\r\n
SELECT * FROM items WHERE itemID = '' OR '1' = '1'

\r\n

\r\n

\r\n

\r\n

This would always return a True response and could literally display the entire table as the result for the query. This is a pretty scary thought if you are trying to keep your data secure. The problem with SQL injection is that a hacker does not have to know anything about your database or table structure.\r\n\r\nWhat if an error or some other issue caused your table structure to be exposed? Hackers are very good at forcing errors to occur that expose information that allows them to penetrate a site deeper. What if the following was entered in the password field?\r\n\r\n

\r\n

‘; drop table users;

\r\n

\r\n

How to prevent your database from SQL Injection attacks\r\nThere is a method for filtering the data that is used on the right side of the WHERE clause to look up a row in a database. The trick is to escape any characters that may be in the user input portion of the query that could lead to a successful attack.\r\n\r\nUse the following function to add backslashes to suspect characters and filter any data that is input by a user.\r\n\r\n

\r\n

function cleanQuery($string)\r\n{\r\n if(get_magic_quotes_gpc()) // prevents duplicate backslashes\r\n {\r\n  $string = stripslashes($string);\r\n }\r\n  if (phpversion() >= '4.3.0')\r\n  {\r\n   $string = mysql_real_escape_string($string);\r\n  }\r\nelse\r\n{\r\n $string = mysql_escape_string($string);\r\n}\r\nreturn $string;\r\n}\r\n\r\n// if you are using form data, use the function like this:\r\nif (isset($_POST['itemID'])) $itemID = cleanQuery($_POST['itemID']);\r\n\r\n// you can also filter the data as part of your query:\r\nSELECT * FROM items WHERE itemID = '". cleanQuery($itemID)."' "

\r\n

The first part looks to see if magic quotes is turned on. if so, it may have already added backslash escapes though a POST or GET method used to pass the data. If backslashes were added, they need to be removed prior to running it through the rest of the function.\r\n\r\nThe next part checks the PHP version. The built-in function that we want to use is called mysql_real_escape_string. This MySQL function only exists in PHP version 4.3.0 or newer. If you are using an older version of PHP, another MySQL function is used called mysql_escape_string.\r\n\r\nmysql_escape_string is not as effective as the newer mysql_real_escape_string. The newer version escapes the string according to the current character set. The character set is ignored by mysql_escape_string, which can leave some vulnerabilities ope for sophisticated hackers. If you find that you are using an older version of PHP and you are trying to protect sensitive data, you really should upgrade to a current version of either PHP 4 or PHP 5.\r\n\r\nSo what does mysql_real_escape_string do?\r\n\r\nThis PHP library function prepends backslashes to the following characters: \n, \r, \, \x00, \x1a, ‘ and “. The important part is that the single and double quotes are escaped, because these are the characters most likely to open up vulnerabilities.\r\n\r\nFor those who do not know what an escape is, it is a character that is pre-pended to another character. When a character is escaped, it is ignored by the database. In other words, it makes that character ineffective in a query. In the case of PHP, an escaped character is treated differently by the PHP parser. The standard escape character used by PHP and MySQL is the backslash.\r\n\r\nIn the case of the SQL query example used above, after running it through the routine, it now looks like this, which breaks the query :\r\n\r\n

\r\n

\r\n
SELECT * FROM items WHERE itemID = '\' OR \'1\' = \'1'

\r\n

\r\nThis method should stop the bulk of the SQL injection attacks, but crackers and hackers are very creative and are always finding new methods to break into systems. There are additional steps that can be taken to filter out certain words, such as drop, grant, union, etc., but using this method will strip these words from searches performed by you users. However, if you want to add another level of security and do not have an issue with certain words being deleted from queries, you can add the following just before if (phpversion() >= ‘4.3.0′).\r\n

$badWords = array("/delete/i", "/update/i","/union/i","/insert/i","/drop/i","/http/i","/--/i");\r\n$string = preg_replace($badWords, "", $string);

\r\nThis additional step should prevent a malicious attacker from damaging a database if they found a way to slip through. Just remember that is you take this additional step and you have a site where someone might search for a “plumbing union” or a “drop cloth”, those queries would not work as intended. If you are wondering what the trailing ‘i’ is following each word in the array, it is required to make the preg_replace replacements case insensitive. This wasn’t needed with eregi_replace, but that function has been deprecated in PHP 5.3.\r\n\r\nAnother important step that needs to be taken with any database is controlling user privileges. When setting up a MySQL user, you should never assign any more privileges than they actually need to accomplish the tasks that you allow on your site. Privileges are easily assigned and managed thought phpMyAdmin, which is found in the the control panel (cPanel, Plesk, etc.) for most hosting companies.\r\n\r\nUseful Links\r\n

http://en.wikipedia.org/wiki/SQL_injection\r\nhttp://www.learnphponline.com/securi…tion-mysql-php\r\nhttp://dev.mysql.com/tech-resources/…curity-ch3.pdf\r\nhttp://www.tizag.com/mysqlTutorial/m…-injection.php

ASP.Net Vulnerability Patch released: Microsoft Security Bulletin MS10-070

Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)

\r\n

\r\n\r\nMicrosoft released ASP.net Vulnerability path through Download centre, for details please click here.\r\n
\r\n\r\nThis security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.\r\n\r\nThis security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection,Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nThis security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.\r\n\r\nRecommendation. Microsoft recommends that customers apply the update at the earliest opportunity.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 2418042 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.\r\n\r\nThe patch is available through Microsoft download centre\r\n\r\n

\r\n

ASP.NET Security Vulnerability Workaround

Update on ASP.NET Vulnerability

\r\n Earlier this week We posted about an ASP.NET Vulnerability.\r\nMicrosoft is actively working on releasing a security update that fix the issues ready for broad distribution across all Windows platforms via Windows Update. We’ll post details about this once it is available.\r\n \r\n\r\nRevised Workaround and Additional URLScan Step\r\nIn our first community post we covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure.\r\nThis additional step can be done at a server-wide level, and should take less than 5 minutes to implement. Importantly, this step does not replace the other steps in the original workaround, rather it should be done in addition to the steps already in it. Below are instructions on how to enable it.\r\n \r\n\r\nInstall and Enable IIS URLScan with a Custom Rule\r\n\r\nIf you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:\r\n\r\n \r\n

\r\nIt takes less than a minute to install on your server.\r\n \r\n\r\nAdd an Addition URL Scan Rule\r\nOnce URLScan is installed, please open and modify the UrlScan.ini file in this location:\r\n

%windir%\system32\inetsrv\urlscan\UrlScan.ini

\r\nNear the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:\r\n\r\n \r\n

[DenyQueryStringSequences]\r\naspxerrorpath=

\r\nThe above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.\r\nAfter saving this change:\r\n\r\n

run “iisreset”\r\nfrom a command prompt (elevated as admin\r\n

\r\nFor the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.\r\n URL Scan Summary\r\nIf you’ve already implemented the workaround we’ve previously published, please add the above step to help block attackers from exploiting the vulnerability.\r\nOur team is working around the clock to release an update via Windows Update that fixes the underlying product vulnerability. Until that update is available, you can use the above workaround to help prevent attackers from using the vulnerability against your applications.\r\nOnce we release the security update, you will no longer need to implement any workaround steps.\r\n\r\nThe alternative option: Using IIS request filtering:\r\nThese instructions are an alternative for the UrlScan instructions above for systems running IIS on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2.\r\n1. Install the Request Filtering feature in IIS through either Add/Remove Programs or Role Manger by selecting the feature under Internet Information Services, World Wide Web Services, Security.\r\n2. Launch Internet Information Services (IIS) Manager.\r\n3. Select the server node in the left pane.\r\n4. Double-click Request Filtering.\r\n5. Select the Query Strings tab and click Deny Query String … in the Actions pane.\r\n6. Enter aspxerrorpath= in the dialog box and select OK.\r\n\r\nAlternatively, you can also use the following appcmd command to set this request querystring:\r\n

appcmd set config /section:requestfiltering /+denyQueryStringSequences.[sequence=’aspxerrorpath=’]

\r\nFor more information on using appcmd to configure IIS, see Getting Started with AppCmd.exe.\r\n\r\nConfigure ASP.Net applications to use uniform custom errors\r\nIn the root folder of each ASP.NET web application, determine if you already have a web.config file in this folder. You must have rights to create a file in the target directory to implement this workaround.\r\nIf the ASP.NET application does not have a web.config file:\r\n\r\nOn .NET Framework 3.5 and earlier\r\n1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:\r\n

<configuration>\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” defaultRedirect=”~/error.html” />\r\n</system.web>\r\n</location>\r\n</configuration>

\r\n2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.\r\n\r\nOn .NET Framework 3.5 Service Pack 1 and later\r\n1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:\r\n

<configuration>\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” redirectMode=”ResponseRewrite” defaultRedirect=”~/ErrorPage.aspx” />\r\n</system.web>\r\n</location>\r\n</configuration>

\r\n2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx\r\n\r\nfile:\r\n

<%@ Page Language=”C#” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nvoid Page_Load()\r\n{\r\nbyte[] delay = new byte[1];\r\nRandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\nprng.GetBytes(delay);\r\nThread.Sleep((int)delay[0]);\r\nIDisposable disposable = prng as IDisposable;\r\nif (disposable != null)\r\n{\r\ndisposable.Dispose();\r\n}\r\n}</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title> </title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request.     </div>\r\n</body>\r\n</html>

\r\n3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”VB” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nSub Page_Load()\r\nDim delay As Byte() = New Byte(0)\r\n{\r\n}\r\nDim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()\r\nprng.GetBytes(delay)\r\nThread.Sleep(CType(delay(0), Integer))\r\nDim disposable As IDisposable = TryCast(prng, IDisposable)\r\nIf\r\nNot disposable Is Nothing\r\nThen\r\ndisposable.Dispose()\r\nEnd IfEnd Sub\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div>  An error occurred while processing your request.  </div>\r\n</body>\r\n</html>

\r\nIf the ASP.NET application already has a web.config file:\r\n\r\nOn .NET Framework 3.5 RTM and earlier\r\n1. Insert the bracketed text in the sample below into your existing web.config file:\r\n

<?xml version=”1.0″?>\r\n<configuration>\r\n<configSections> …  </configSections>\r\n<appSettings> … </appSettings>\r\n<connectionStrings> … </connectionStrings>\r\n[\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” defaultRedirect=”~/error.html” />\r\n</system.web>\r\n</location>\r\n]\r\n<system.web> … </system.web>\r\n<system.codedom> … </system.codedom>\r\n</configuration>

\r\n2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.\r\n3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.\r\n\r\nOn .NET Framework 3.5 Service Pack 1 and later\r\n1. Insert the bracketed text in the sample below into your existing web.config file:\r\n

<?xml version=”1.0″?>\r\n<configuration>\r\n<configSections> … </configSections>\r\n<appSettings> … </appSettings>\r\n<connectionStrings> … </connectionStrings>\r\n[\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” redirectMode=”ResponseRewrite” defaultRedirect=”~/ErrorPage.aspx” />\r\n</system.web>\r\n</location>]\r\n</configuration>\r\n<system.web> … </system.web>\r\n<system.codedom> … </system.codedom>\r\n</configuration>

\r\n2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”C#” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nvoid Page_Load()\r\n{\r\nbyte[] delay = new byte[1];\r\nRandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\nprng.GetBytes(delay);\r\nThread.Sleep((int)delay[0]);\r\nIDisposable disposable = prng as IDisposable;\r\nif\r\n(disposable != null)\r\n{\r\ndisposable.Dispose();\r\n}\r\n}\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request. </div>\r\n</body>\r\n</html>

\r\n3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”VB” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nSub Page_Load()\r\nDim delay As Byte() = New Byte(0)\r\n{\r\n}\r\nDim prng As RandomNumberGenerator = New  RNGCryptoServiceProvider()       prng.GetBytes(delay)\r\nThread.Sleep(CType(delay(0), Integer))\r\nDim disposable As IDisposable = TryCast(prng, IDisposable)\r\nIf\r\nNot disposable Is Nothing\r\nThen\r\ndisposable.Dispose()\r\nEnd If\r\nEnd Sub\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request. </div>\r\n</body>\r\n</html>

\r\nImpact of Workaround:\r\nIf an error occurs during a Web transaction, the Web clients will see the same generic error message on the server, regardless of what error actually occurs. Additionally, any requests for Web pages which contain the string aspxerrropath= in the querystring portion of the URL will be blocked, and an HTTP error message returned to the client.\r\n\r\nYou can learn more about this vulnerability and the workaround from:\r\n\r\n

Hello world!

Welcome to Community\r\n\r\nWelcome to SysAdmin community site. You’ll get help, news, discussions and collection of tools for System administration & IT Professionals. The target is to make this community to be one of biggest community of System Administrators and IT Professionals.