Captcha Vulnerability

For general questions and discussions specific to the AbleCommerce 7.0 Asp.Net product.
Post Reply
mtrujillo86
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 34
Joined: Wed Feb 29, 2012 4:45 pm

Captcha Vulnerability

Post by mtrujillo86 » Tue May 22, 2012 11:01 am

5/22/2012 9:09:53 AM Error An error has occured at /Captcha.ashx?h=ping -c2 -i60 localhost&id=486008&sid=1&t=082819&w=250 Input string was not in a correct format.

Since we started receiving these hack attempts we have enabled our encryption key. The ID is now being encrypted, however when the user attempts to put malicious code in the URL the user receives the error back. We have debug=false and we built the all projects in release mode.

We need this fixed asap - Any ideas?

Input string was not in a correct format.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.FormatException: Input string was not in a correct format.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:


[FormatException: Input string was not in a correct format.]
System.Number.StringToNumber(String str, NumberStyles options, NumberBuffer& number, NumberFormatInfo info, Boolean parseDecimal) +12636309
System.Number.ParseInt32(String s, NumberStyles style, NumberFormatInfo info) +224
CommerceBuilder.Web.CaptchaGenerator.ProcessRequest(HttpContext context) in C:\Users\mmtrujillo\Documents\Visual Studio 2010\Projects\AbleCommerce\CommerceBuilder.Web.UI\CaptchaGenerator.cs:36
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +625
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270
Top
mouse_8b
Commander (CMDR)
Commander (CMDR)
Posts: 115
Joined: Mon Oct 11, 2010 1:21 pm
Location: Austin, TX
Contact:
Contact mouse_8b

Re: Captcha Vulnerability

Post by mouse_8b » Tue May 22, 2012 11:41 am

In your web.config, is Custom Errors set to "on"?

Code: Select all

<system.web>
		<customErrors mode="On" defaultRedirect="~/Errors/GeneralError.aspx">
			<error statusCode="404" redirect="~/Errors/PageNotFound.aspx" />
		</customErrors>
Top
mtrujillo86
Lieutenant, Jr. Grade (LT JG)
Lieutenant, Jr. Grade (LT JG)
Posts: 34
Joined: Wed Feb 29, 2012 4:45 pm

Re: Captcha Vulnerability

Post by mtrujillo86 » Tue May 22, 2012 12:46 pm

That fixed it. We had debug=false which I thought was suppose to not show any errors.
Top
mouse_8b
Commander (CMDR)
Commander (CMDR)
Posts: 115
Joined: Mon Oct 11, 2010 1:21 pm
Location: Austin, TX
Contact:
Contact mouse_8b

Re: Captcha Vulnerability

Post by mouse_8b » Tue May 22, 2012 1:27 pm

I think that debug=false will put some extra text in the page for debugging, while customErrors will redirect to a completely different page on an error.
Top
Post Reply

Return to “AbleCommerce 7.0 Asp.Net Shopping Cart”