Hello,

I have a customer with a DNN website running on my server.

They bank with HSBC who have done a security analysis of their website using the company www.securitymetrics.com

The report shows that their site has failed with 6 risks.

Luckily, 5 of the risks have been ranked as low, but 1 has been ranked as a risk level of 4, which is a fail.

I was wondering if anyone could help me try and overcome the level 4 risk so their site passes this security analysis?

The only problem is that I am on a shared hosted server and I am 100% sure that the hosting company will not reconfigure the server just for me....

Anyway, this is the information on the level 4 threat....

Synopsis : The remote ASP.NET web server does not have custom errors set Description : The remote ASP.NET web server is configured to show verbose error messages, which might lead into the disclosure of potential sensitive information about the remote installation (such as the path under which the remote web server resides) or about the remote ASP.NET applications.

Is this just a case of chaning the <customErrors mode="Off" /> setting in the web.config file?

Thanks for any help....

Trev

actually, you don't even need to do that. The default value we ship with in the web.config is RemoteOnly ( http://msdn.microsoft.com/en-us/library/h0hfz6fc.aspx ), which doesn't show verbose errors. I suspect that either you have the value set to Off (which does show verbose errors), or the company who did the audit tested using localhost (RemoteOnly shows verbose errors locally, not remotely).

Note, server errors (level 500) are handled by dotnetnuke's event system, so the only errors which can be captured by customErrors are items such as 404 and 300 level errors.

Finally, please feel free to email any security audits to security@dotnetnuke.com, so we can evaluate them and see if there are issues we might need to address. All information sent into that address is under NDA.

Cathal