|
|
|
Rank: Newbie
Groups: Registered
Joined: 3/15/2020
Posts: 5
|
Hi,
There is a vulnerability in callbackhandler.ashx
if we change the id parameter which is the index folder
the handler returns an exception and exposes physical address of the site
is there any work around for this problem?
thanks
|
|
|
|
Rank: Advanced Member
Groups: Administrators, Registered
Joined: 8/13/2004
Posts: 2,669
Location: Canada
|
Hi, thanks for reporting it, for others info this only affects Server Control usage, not the new Javascript based usage. If you have a v7 license then please update to https://www.dropbox.com/.../SU-ASHX-Patch.zip?dl=0
Otherwise you can potentially filter responses like this https://weblog.west-wind...put-with-responsefilter
Jim -your feedback is helpful to other users, thank you!
|
|
|
|
Rank: Newbie
Groups: Registered
Joined: 3/15/2020
Posts: 5
|
Hi, Thanks for your reply.
I Updated the dlls but the problem is still there
If I change the id parameter of the callback handler, it returns an exception and reveals the physical address.
I think you should not reflect exception to the output at all.
have I done something wrong?
thanks for your reply.
|
|
|
|
Rank: Advanced Member
Groups: Administrators, Registered
Joined: 8/13/2004
Posts: 2,669
Location: Canada
|
I agree with you. I think that you might need to update the references in your web.config to the new version. Eg you might have this in at least 2 places type="Keyoti.SearchEngine.Web.CallBackHandler, Keyoti4.SearchEngine.Web, Version=2017.7.x.x, Culture=neutral, PublicKeyToken=58d9fd2e9ec4dc0e" where 'x' is specific to your version. You need to update to the new version which is 2017.7.20.316 (otherwise it keeps using the old version from your GAC). Sorry I didn't foresee that. Jim -your feedback is helpful to other users, thank you!
|
|
|
|
Rank: Newbie
Groups: Registered
Joined: 3/15/2020
Posts: 5
|
Thanks again for your reply.
I updated web.config as you said. now the error message is changed. but still the directory is exposed!
now it outputs two exceptions that in my opinion the second should not be there. Here are the exceptions:
~Exception/Sorry the index directory path is not valid please check AutoCompleteQueryIndexDirectory or Keyoti-SearchEngine-IndexDirectory in the web.config
~Exception/Directory holding D:\xxx\App_Data\SiteSearch\Search_Index1\configuration.xml does not exist and needs to be created first.
Thanks and best regards
Amir
|
|
|
|
Rank: Advanced Member
Groups: Administrators, Registered
Joined: 8/13/2004
Posts: 2,669
Location: Canada
|
Sorry, not sure how I missed that, please update to this version 2017.7.20.319 https://www.dropbox.com/...p/SU-ASHX-Patch.zip?dl=2-your feedback is helpful to other users, thank you!
|
|
|
|
Rank: Newbie
Groups: Registered
Joined: 3/15/2020
Posts: 5
|
Thank you
It solved the problem
regards
|
|
|
