locked
FYI: DetectCustomErrorsDisabled3 not scanning virtual folders under physical subfolders. RRS feed

  • Question

  • User-158764254 posted

    I have found a condition under which the script DetectCustomErrorsDisabled3.vbs was not scanning all application folders.

    The method EnumDirectories uses recursion to traverse through the subdirectory objects, but only if they are of Class IIsWebVirtualDir.

    If you create a physical folder in your site, and then create a virtual folder (app) under that physical folder, the virtual folder is not scanned.

    The Class of the physical folder as read by the script is "IIsWebDirectory" instead of "IIsWebVirtualDir" which is why it (and all its child folders) appears to get skipped.

     

    So on the off chance that anybody else may have a similar configuration (application folder nested under regular physical folder), you might want to double check that the script produced a result for all of your apps.

     

     

    Sunday, September 19, 2010 2:51 PM

Answers

  • User-158764254 posted

    the script shouldn't be able to resolve any additional paths by checking IIsWebDirectory too
     

    The IISWebDirectory cannot itself be fully processed.  But, its child objects might be relevant...

    consider this:

    WebServer

    +--- IISWebDirectory

                +--- IIsWebVirtualDir

     

    The script (v3) does not process (or recurse through) the IISWebDirectory class object so it would miss any nested IIsWebVirtualDir paths.

    It's not essential that an IISWebDirectory itself be directly processed per se, but it is essential that all child objects of that IISWebDirectory be included in the scan - in case they happen to be of class IIsWebVirtualDir.

    I do see that the script download has changed a bit and now links to a v31 script.  But the v31 script behaves the same as the v3 script in this regard from what i can tell.

     

    Note: the newer v31 script did pick up one extra path that even my modified older v3 script did not.  It was an IIsWebVirtualDir on my dev system that did not have a web.config at all.

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 24, 2010 7:17 PM

All replies

  • User-1493333979 posted

    I seem to be having the same issue with the script skipping some web apps.

    I know nothing about vbs, but could it be as simple as changing

    objSubDir.Class = "IIsWebVirtualDir"

    to

    objSubDir.Class = "IIsWebVirtualDir" OR "IIsWebDirectory" 

    ?

    Thursday, September 23, 2010 10:35 AM
  • User-158764254 posted

    Things are never that simple it seems.

    An IIsWebDirectory does not support a Path property so processing those folders will cause the script to fail.

     

    i made the following 3 tweaks in a separate copy of the script. 
    2 comment characters added plus an on error resume next.

    SUB EnumDirectories(objDir)
        ON ERROR RESUME NEXT
        DIM objSubDir
        ' The first call to this is from IIsWebServer, so we can skip that
        FOR EACH objSubDir IN objDir
            'IF (objSubDir.Class = "IIsWebVirtualDir") THEN
                GetPhysicalPaths(objSubDir)           
                EnumDirectories(objSubDir)         
            'END IF
        NEXT 
    END SUB

    That seemed to get it to travers all my folders. 

    Note that on the off chance that this modification had some unintended side-effect, i would recommend always running the script version that MSFT has released in addition to any modified version.

    Thursday, September 23, 2010 11:16 AM
  • User-1493333979 posted

    Mike,

    Thanks for this.  I created a copy of the original script and made the changes you suggested.  It did seem to go down one more level. However, the script just stops after a certain folder and doesn't do anything else. And it seems some of my virtual folders are still not being checked.  I also tried adding on error resume suggestion  at http://forums.asp.net/t/1604350.aspx but got the same results.

    Any other suggestions before I start manually looking at the next level of apps?

    Thanks,

    Nicole

     

    Friday, September 24, 2010 10:54 AM
  • User-619846739 posted

    Mike and Nicole,

    I'm curious about this.  IIsWebDirectory has a Path property, but IIsWebDirectory doesn't.  So, the script shouldn't be able to resolve any additional paths by checking IIsWebDirectory too.  Maybe it's getting some extra FTP paths?

    However, there where other changes made to the script over time, so make sure that you have the latest.  The zip file from Scott Gu's page has the latest: http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

    If you still have additional folders checked after using Scott's latest script, I would like to troubleshoot it with you.

    Friday, September 24, 2010 3:56 PM
  • User-158764254 posted

    the script shouldn't be able to resolve any additional paths by checking IIsWebDirectory too
     

    The IISWebDirectory cannot itself be fully processed.  But, its child objects might be relevant...

    consider this:

    WebServer

    +--- IISWebDirectory

                +--- IIsWebVirtualDir

     

    The script (v3) does not process (or recurse through) the IISWebDirectory class object so it would miss any nested IIsWebVirtualDir paths.

    It's not essential that an IISWebDirectory itself be directly processed per se, but it is essential that all child objects of that IISWebDirectory be included in the scan - in case they happen to be of class IIsWebVirtualDir.

    I do see that the script download has changed a bit and now links to a v31 script.  But the v31 script behaves the same as the v3 script in this regard from what i can tell.

     

    Note: the newer v31 script did pick up one extra path that even my modified older v3 script did not.  It was an IIsWebVirtualDir on my dev system that did not have a web.config at all.

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 24, 2010 7:17 PM
  • User-955213232 posted

    It might be a permissions thing. Add an ON ERROR  at the end of: EnumWebConfig

     

    SUB EnumWebConfig(Path,IsRoot)
    ...
        ON ERROR RESUME NEXT
        FOR EACH dir IN objFileSys.GetFolder(Path).SubFolders
            CALL EnumWebConfig(dir.Path,0)
        NEXT

    END SUB

    Friday, September 24, 2010 7:43 PM
  • User-1493333979 posted

    David:  I had added the on error, which is what seemed to get me to another level.

    Mike: Yep, running the latest 3.1 script.

    Scott:  I have pretty much run through my server manually, but would be happy to try any other edits you suggest. 

    I think you are saying that IIsWebVIR Directory has a Path property, but IIsWebDirectory doesn't.  In my earlier response tht Mike's edits allowed more folders, maybe it was my addition of ON ERROR NEXT that returned more results.

    So just let me know how you want to troubleshoot.

    Nicole

    Monday, September 27, 2010 8:25 AM