web.config can anything be done about this? RRS feed

  • Question

  • User-88610212 posted

    Is there anything that can be done for the following condition:

    inadvertently corrupt a web.config file:

        </authentication><machineKey validationKey="xxx" decryptionKey="xxx" validation="HMACSHA256" decryption="AES" />



    and now since there is no way for the CustomErrors to take effect the browser at the client shows me way too much detail.  If the bad syntax edit is done near a senstive area then it will even show

    the validationKey="xxx" decryptionKey="xxx" to the client.

    Thursday, June 6, 2013 6:12 PM

All replies

  • User-525215917 posted

    You can always take last good version from backup or source-code repository.

    Thursday, June 6, 2013 6:33 PM
  • User-88610212 posted
    My real concern is the exposure of the sensitive information even if it is for a brief moments. Once app is in production there might be a separate deployment team making configuration changes and if these kind of mistakes are made the information could be compromised and it may not be even noticed. I would think that these kind of web.config parser errors should not be communicated altogether to the requester. It should only be written to the event log of the server.
    Thursday, June 6, 2013 7:21 PM
  • User-525215917 posted

    This situation should not happen easily. If web.config is screwed up then it usually ends up with IIS error that leaks only few details. If you see fragments of web.config then something is wrong, I think.

    Is this application running in subfolder of some other application that has web.config where custom errors are turned on?
    Are custom errors turned off for remote users in machine.config? 

    Friday, June 7, 2013 1:13 AM
  • User-88610212 posted

    Thanks for your input.

    The application   would be running in its own folder that has a web.config.  I happened to be testing customErrors and made a mistake editing the web.config.  Which showed a message like what I pasted below.  It does only show a small fragment but if its close enought to sensitive section of the web config then it will display the sensitive information.  IIS errors should probably not be displayed at all by the 

    System.Web.HttpContext.ReportRuntimeErrorIfExists  method as the call stack shows on the message I received.








    <title>Configuration Error</title>




    body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}


    p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}


    b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}


    H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }


    H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }


    pre {font-family:"Lucida Console";font-size: .9em}


    .marker {font-weight: bold; color: black;text-decoration: none;}


    .version {color: gray;}


    .error {margin-bottom: 10px;}


    .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }






    <body bgcolor="white">


    <span><H1>Server Error in '/XXXXXX' Application.<hr width=100% size=1 color=silver></H1>


    <h2> <i>Configuration Error</i> </h2></span>


    <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">


    <b> Description: </b>An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.




    <b> Parser Error Message: </b>Unrecognized element.<br><br>


    <b>Source Error:</b> <br><br>


    <table width=100% bgcolor="#ffffcc">







    Line 28:     

    &lt;forms name=&quot;xxxxx&quot; cookieless=&quot;UseCookies&quot; path=&quot;/&quot; timeout=&quot;1440&quot; domain=&quot;xxxxxx&quot; slidingExpiration=&quot;false&quot; /&gt;

    Line 29:   




    font color=red>Line 30:     &lt;machineKey validationKey=&quot;xxxxx&quot; decryptionKey=&quot;xxxxxxxxxxx&quot; validation=&quot;HMACSHA256&quot; decryption=&quot;AES&quot; /&gt;        



    font>Line 31:           oops!!!

    Line 32:   

    &lt;authorization&gt;      </pre></code>










    <b> Source File: </b> C:\inetpub\wwwroot\mysite\web.config<b> &nbsp;&nbsp; Line: </b> 30




    <hr width=100% size=1 color=silver>


    <b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.272









    [ConfigurationErrorsException]: Unrecognized element. (c:\inetpub\wwwroot\mysite\web.config line 30)

       at System.Configuration.ConfigurationSchemaErrors.ThrowIfErrors(Boolean ignoreLocal)

       at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)

       at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)

       at System.Web.Configuration.RuntimeConfig.GetSectionObject(String sectionName)

       at System.Web.Configuration.RuntimeConfig.GetSection(String sectionName, Type type, ResultsIndex index)

       at System.Web.Configuration.RuntimeConfig.get_CustomErrors()

       at System.Web.Configuration.CustomErrorsSection.GetSettings(HttpContext context, Boolean canThrow)

       at System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow, Boolean localExecute)

       at System.Web.HttpContext.ReportRuntimeErrorIfExists(RequestNotificationStatus& status)


    Friday, June 7, 2013 9:33 AM
  • User-88610212 posted

    after a few more tests I noticed that the type of mistake in the web.config matters so the following bad edit:

        <machineKey validationKey="xxxxxxx" decryptionKey="xxxxxx" validation="HMACSHA256" decryption="AES" />  



    with invalid xml syntax would show the sensitve information to the clinet. 

     Some other combinations of bad edits would correctly show the customerrors message.


    Friday, June 7, 2013 10:14 AM