Eric
Apr 22, 2016
  4189
(4 votes)

Hide resizer.debug.ashx from your website.

Many of us is using the popular http://imageresizing.net library for manipulate or resizing images on our website. But with that plugin you will also get the resizer.debug.ashx. This little thingy is actually showing a lot of information about your website to the world.

The page is actually part of the Diagnotics plugin and can be disabled by using the resizer section in web.config. If you can see ASP.NET error messages, you will also be able to get the diagnostics page. This ensures that the diagnostics page never exposes data to a host that doesn't already have access to detailed error messages, make sure you have configured the customError section correct in you web.config.

Example of information exposed from one partner website:

Environment information:

Running Microsoft-IIS/8.5 on Microsoft Windows NT 6.3.9600.0 and CLR 4.0.30319.42000
Trust level: Unrestricted
OS bitness: AMD64
Executing assembly: c:\windows\system32\inetsrv\w3wp.exe
IntegratedPipeline: True

Loaded assemblies:

mscorlib                                 Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Web                               Assembly: 4.0.0.0         File: 4.6.1069.1      Info: 4.6.1069.1
System                                   Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Core                              Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Web.ApplicationServices           Assembly: 4.0.0.0         File: 4.6.1069.1      Info: 4.6.1069.1
System.Configuration                     Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Xml                               Assembly: 4.0.0.0         File: 4.6.1064.2      Info: 4.6.1064.2
System.Runtime.Caching                   Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
Microsoft.Build.Utilities.v4.0           Assembly: 4.0.0.0         File: 4.0.30319.33440 Info: 4.0.30319.33440
Microsoft.JScript                        Assembly: 10.0.0.0        File: 14.0.1055.0     Info: 14.0.1055.0

I guess many of us does not care but I think it is a good idea to hide that information and we forget to set the right customErrors. Another way of removing information is to use a rewrite rule in your project like the one below instead of removing the plugin or rely on customerrors section.

       <rule name="ImageResizer"
      patternSyntax="Wildcard"
      stopProcessing="true">
          <match url="*" />
          <conditions>
            <add input="{URL}"
                 pattern="/*.ashx" />

          </conditions>
          <action type="CustomResponse"
                  statusCode="404"
                  statusReason="File or directory not found."
                  statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
        </rule>
Apr 22, 2016

Comments

valdis
valdis Apr 24, 2016 05:01 PM

Nice catch. Is it so, that you are disabling *any* Http handler by adding pattern "/*.ashx"?

Eric
Eric Apr 24, 2016 09:01 PM

In this case I believe so ;)  But it is more of an exampel but it will work in this case. If you have other handlers you will need to have another rewrite condition.

Frederik Vig
Frederik Vig Apr 26, 2016 03:12 PM

It's only available for localhost (by default at least).

Eric
Eric Apr 26, 2016 04:22 PM

Hmm not sure what you mean with localhost!? I have tried this on a couple of websites using imageresizer and I get this information. :) 

valdis
valdis Apr 26, 2016 11:02 PM

Digging more into this stuff:

1) You can disable this handler not by addign rewrite rule (and potentially disabling *any* handler your site might have) - but instead, adding element to your element.

2) this handler is enabled because most probably is set to "Off". Double check your web.config file.

Eric
Eric Apr 26, 2016 11:10 PM

Thanks for all comment and yes I mentioned that in the post but could have been in more detail perhaps :) 

"The page is actually part of the Diagnotics plugin and can be disabled by using the resizer section in web.config. If you can see ASP.NET error messages, you will also be able to get the diagnostics page. This ensures that the diagnostics page never exposes data to a host that doesn't already have access to detailed error messages, make sure you have configured the customError section correct in you web.config."

Please login to comment.
Latest blogs
How to use CacheTagHelper with content areas in Optimizely CMS 12

I might be going out on a limb here - if you have a better solution, feel very free to share it!  Upgrading your Optimizely web application from .N...

Andreas J | Dec 2, 2022

The 1001st Piece in your 1000 Piece Puzzle: .NET Default Interface Functions

I was recently working with a client who wanted a reasonably large subsystem added to Optimizely that would add automated management to their...

Greg J | Nov 28, 2022 | Syndicated blog

Video Demonstration, creating a CMS12 Alloy Sample Site

Hey All Below you will find a quick video demonstration on how to install a local version of Alloy Sample based on CMS12 / .Net 6. As you will see ...

Minesh Shah (Netcel) | Nov 28, 2022

How to create an admin user I Optimizely CMS – with Episerver CLI

In this blog post I’ll show how to create an admin user for Optimizely CMS in a new environment where you don’t have access to the admin interface.

Ove Lartelius | Nov 28, 2022 | Syndicated blog