IIS Detailed Error Information Disclosure
**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.
Vulnerability Details
The IIS Detailed Error Information Disclosure vulnerability occurs when detailed error messages are displayed to users, potentially exposing sensitive information about the server’s configuration and the application.
Severity Rating
Medium
How to Verify if a Device is Vulnerable
Use Nessus plugin ID 58363 to scan the device for this vulnerability.
To verify if an IIS server is vulnerable to detailed error information disclosure, follow these steps:
Cause an Error:
Access the web application and intentionally cause an error (e.g., request a non-existent page).
Analyze the Error Page:
Check if the server returns a detailed error message with sensitive information such as stack traces, server paths, or configuration details.
Example:
Open a non-existent page in a browser.
Or
Use curl to cause an error:
curl -I http://your-iis-server/nonexistentpage
If the response includes detailed error information, the server is vulnerable.
How to Fix
Configure Custom Errors:
- In your IIS Manager, go to the site or server level and select “Error Pages”.
- Click “Edit Feature Settings” and set the error mode to “Custom Errors”.
- Ensure detailed errors are only shown locally by setting the errorMode to DetailedLocalOnly.
Modify web.config:
- Add the following configuration to your web.config file to ensure custom errors are configured properly:
<system.webServer>
<httpErrors errorMode=”Custom” existingResponse=”Replace”>
<remove statusCode=”404″ />
<error statusCode=”404″ path=”/404.html” responseMode=”ExecuteURL” />
<!– Add other custom error pages as needed –>
</httpErrors>
</system.webServer>
Verify Configuration:
Access the site from a remote client and trigger common errors to ensure custom error pages are displayed instead of detailed errors
Rollback
To roll back changes made to configure custom error pages and revert to detailed error messages in IIS, follow these steps:
- Open IIS Manager:
Navigate to the site or server level and select “Error Pages”.
Click “Edit Feature Settings” and set the error mode to “Detailed Errors”.
- Modify web.config:
Remove or comment out the <httpErrors> section from your web.config file:
<system.webServer>
<!– Remove or comment out the httpErrors section –>
<!– <httpErrors errorMode=”Custom” existingResponse=”Replace”>
<remove statusCode=”404″ />
<error statusCode=”404″ path=”/404.html” responseMode=”ExecuteURL” />
</httpErrors> –>
</system.webServer>
Restart IIS:
Restart the IIS service to apply the changes:
Run “iisreset”
Verify Configuration:
Trigger an error to confirm that detailed error messages are now being displayed.
How to Verify the Fix
Rescan using Nessus plugin ID 58363 to scan the device for this vulnerability.
To verify that the fix for the IIS Detailed Error Information Disclosure vulnerability has been implemented, follow these steps:
Cause an Error:
Access the web application and intentionally trigger an error (e.g., request a non-existent page).
Analyze the Error Page:
Ensure that the server returns a custom error page rather than a detailed error message with sensitive information.
Check web.config:
Ensure the httpErrors configuration is correctly set to Custom or DetailedLocalOnly.
Links (for additional resources and references)
https://www.tenable.com/plugins/nessus/58363
https://learn.microsoft.com/en-us/iis/configuration/system.webServer/httpErrors