We have upgraded our support system to serve you better.
For Support, please go to our Momentive Support Hub located here.

Skip to main content
  1. NetForum Support
  2. eWeb
  3. eWeb

EWeb Security

Updated
 
 

EWeb Security

There are many facets to eWeb security. This page describes several topics of concern for eWeb sites.

Cross Site Scripting

Cross site scripting (XSS) is an attack on a web-based application that employs script injection to make a trusted application, such as NetForum eWeb, do malicious things. Because eWeb is trusted by the browser, a malicious script could access cookies, session tokens, or other sensitive information gathered and saved by the browser and used with eWeb. To block this kind of attack in eWeb, the following validators must be enabled:

  • ASP.NET: blocks XSS by blocking characters that might be found in an injection script. If this validator finds a blocked character, it generates a page with the following error: 
    A potentially dangerous Request.Form value was detected from the client
  • NFEPEwebRequestValidator: blocks XSS by blocking the following characters in a query string and displaying an error:{{, <, and %. If these characters appear in a query string, then netFORUM displays the following error: We have encountered an error. We apologize for the inconvenience.
  • eWebSecurePageModule: prevents the CustomerKey, OrgCustomerKey, and CurrentKey parameters from being processed in the http request. These parameters are processed in the session instead. Because this option can affect customized pages, you should review any customized code that references customer keys and thoroughly test the change before implementing it in production.

ASP.NET request validation is, and always has been enabled in eWeb, but to enable the other security options, you must edit the web.config file for eWeb as follows:

    1. Go to ../eweb/web.config.
    2. Open the web.config file in a text editor.
    3. Search for the following tag: <system.web>.
    4. Verify that the NFEPEwebRequestValidator code is enabled in the file. You might need to remove the comments around the code to make it active. The NFEPEwebRequestValidator code is similar to the following example:
<system.web>
<httpRuntimeexecutionTimeout="7200"
maxRequestLength="102400"
requestValidationMode="2.0"
requestValidationType= "Avectra.netForum.Data.NFEPEwebRequestValidator"/>
</system.webServer>
  1. Locate the <system.webServer> tag.
  2. To prevent the hijacking of customer keys from the interface, verify that the following options are set appropriately:
    • The validateIntegratedModeConfiguration option is set to false.
    • The <modules> tag sets the runAllManagedModulesForAllRequests to true, and adds the secure page module to the site, as shown in the following example.

    Note: You might need to remove comment tags around <modules> to enable this function. It is disabled by default in versions 2014 and 2015, since it can interfere with page delivery. With version 2017 it is enabled by default.

<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true">
<add name="eWebSecurePageModule"type="Abila.netForum.Web.Modules.Security.eWebSecurePageModule, Abila.netForum.Web.Modules.Security"/>
</modules>
</system.webServer>
  1. Save the web.config file. The application pool recycles.

Cross Site Request Forgery (CSRF or XSRF)

Cross site Request Forgery (CSRF) is an attack that forces (or entices) an authenticated end user of a web-based application to perform an unwanted action. Because the user is already authenticated, an attacker could trick a user into clicking on something that would change the user's password to a password of the attacker's choosing. To block this kind of attack in eWeb, the following security feature must be enabled. Enabling this security feature causes NetForum to redirect the end user to the Change Password page in eWeb.

Note: The eWeb configuration file is shipped with this security feature set to "false," leaving it up to the administrator of each site to activate this feature.

  1. Go to ../eweb/web.config.
  2. Open the web.config file in a text editor.
  3. Search for the following key: eWebAntiCSRFTokenValidation. The entire string appears as follows: <add key="eWebAntiCSRFTokenValidation" value="false"/>
  4. Change the value to true. Edit the string to appear as follows: <add key="eWebAntiCSRFTokenValidation" value="true"/>
  5. Save the web.config file. The application pool recycles.

 

Directory Indexing

Directory Indexing might give a user too much information about the pages and layout of the NetForum site. For instance, a user can enter a URL that points to a folder that has no default page and get a list of the entire folder's contents. Users could potentially use this information to access pages in NetForum that might otherwise be hidden from them, causing a potential security leak.

To stop this potential security leak, the baseline web.config files for eWeb, iWeb, and xWeb have been modified to include the following statement:

<system.webServer>

    <directoryBrowse enabled="false" />

</system.webServer>

With the directoryBrowse enabled option set to false, if users try entering a URL to a folder with no default page, then the user sees the following error message instead of a list of files:

HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.

If you do not see this entry in the web.config file, use the following steps to add it:

  1. Go to one of the following:
    1. ../eweb/web.config for eWeb
    2. ../iweb/web.config for iWeb
    3. ../xweb/web.config for xWeb

  2. Open the web.config file in a text editor.

  3. Search for the following tag: <system.webServer>.

    1. If you do not find it, add the following code anywhere in the web.config file: 
      <system.webServer>

                      <directoryBrowse enabled="false" />
                      
      </system.webServer>
    2. If you do find it, then check that the value for <directoryBrowse enabled=""> is false.
  4. Save the web.config. The application pool recycles.

Customizing eWeb Page Security

In addition to enabling security in the eWeb web.config file, you can also edit the eWebAdditionalConfigSettings.xml file to include or exclude pages from validation or change the Stored Procedure used to validate pages, if you have written your own stored procedure.

Note: You can only exclude aspx files from the baseline.

<?xml version="1.0" encoding="utf-8" ?>

<root>

<UnsecuredPages name="Pages">

<UnsecuredPageList name="memberpage.aspx" />

<UnsecuredPageList name="startpage.aspx" />

</UnsecuredPages>

<StoredProcedure name="Procedures">

<StoredProcedures name="md_check_eweb_page_has_access" />

</StoredProcedure>

</root>

To include or exclude pages from validation, use the following steps:

    1. Edit the eWebAdditionalConfigSettings.xml file.
    2. Locate the UnsecuredPages tag.
    3. To remove a page from validation, create an UnsecuredPageList entry for it in the following format:

<UnsecuredPageList name="memberpage.aspx" />

  1. Save the eWebAdditionalConfigSettings.xml file.

To specify a different stored procedure in the configuration file, use the following steps:

  1. Edit the eWebAdditionalConfigSettings.xml file.
  2. Locate the Stored Procedure tag.
  3. If you have written your own stored procedure, replace the value md_check_eweb_page_has_access with the name of your stored procedure.
  4. Save the eWebAdditionalConfigSettings.xml file.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more