CuteEditor Security

CuteEditor can display a stack trace in error information that might pose a security risk. To stop this possible security leak, you must edit the web.config files as explained in the following sections.

Editing the eWeb Web.Config File

To generate the error, use the following steps:

  1. Open eWeb
  2. Copy and paste the following example into the browser URL address field:
  3. http://mywebsite/eweb/CuteSoft_Client/CuteEditor/Load.ashx?type=style&file=<%25%20whs=21705%20%25>whscheck<%25=%20whs.to_s%20%25>&=SyntaxHighlighter.css

     

     

  4. Edit mywebsite to the address of your organization's specific eWeb site.
  5. Press Enter or use the browser go feature to navigate to the link you pasted in the URL address field.

The eWeb site returns a detailed error with the stack trace.

To replace this error with a less verbose, security-neutral error message, use the following steps:

  1. Go to eWeb\CuteSoft_Client\web.config.
  2. Open the web.config file in a text editor.
  3. Search for the following tag: <system.web>. You'll find the following section:

    <?xml version="1.0" encoding="utf-8" ?>

    <configuration>

    <system.web>

    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />

    <compilation debug="true"/>

    <customErrors mode="Off"/>

    </system.web>

    </configuration>

  4.  

     

     

     

     

     

     

     

     

     

  5. Change the customErrors mode value to On.
  6. Save web.config. The application pool recycles.

Editing the iWeb Web.Config File

To enable the custom error mode in iWeb, edit the web.config file as follows:

  1. Go to iWeb\forms\CuteEditor\CuteSoft_Client\web.config.
  2. Open the web.config file in a text editor.
  3. Search for the <system.web> tag. You'll find the following section:

    <?xml version="1.0" encoding="utf-8" ?>

    <configuration>

    <system.web>

    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />

    <compilation debug="true"/>

    <customErrors mode="Off"/>

    </system.web>

    </configuration>

  4.  

     

     

     

     

     

     

     

     

     

  5. Change the customErrors mode value to On.
  6. Save web.config. The application pool recycles.