xWeb Security

There are many facets to xWeb security.

Directory Indexing

Directory Indexing might give a user too much information about the pages and layout of the NetForum site. For instance, a user can enter a URL that points to a folder that has no default page and get a list of the entire folder's contents. Users could potentially use this information to access pages in NetForum that might otherwise be hidden from them, causing a potential security leak.

To stop this potential security leak, the baseline web.config files for eWeb, iWeb, and xWeb have been modified to include the following statement:

<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
   

With the directoryBrowse enabled option set to false, if users try entering a URL to a folder with no default page, then the user sees the following error message instead of a list of files:

HTTP Error 403.14 - Forbidden
The Web server is configured to not list the contents of this directory.

If you do not see this entry in the web.config file, use the following steps to add it:

  1. Go to one of the following:
    1. ../eweb/web.config for eWeb
    2. ../iweb/web.config for iWeb
    3. ../xweb/web.config for xWeb

  2. Open the web.config file in a text editor.

  3. Search for the following tag: <system.webServer>.

    1. If you do not find it, add the following code anywhere in the web.config file:
      <system.webServer>
      <directoryBrowse enabled="false" />
      </system.webServer>
        
    2. If you do find it, then check that the value for <directoryBrowse enabled=""> is false.
  4. Save the web.config. The application pool recycles.

 

Displaying Stack Trace

Displaying a stack trace as a part of an xWeb error message might give a user too much information, such as the name of the program or method where the error occurred and the method calls. Users could potentially use this information to create malicious code that can access the displayed method calls, causing a potential security leak.

To stop this potential security leak, the baseline error message includes only a general description of the problem, excluding the stack trace.