Try our conversational search powered by Generative AI!

Eric
Apr 22, 2016
  4761
(4 votes)

Hide resizer.debug.ashx from your website.

Many of us is using the popular http://imageresizing.net library for manipulate or resizing images on our website. But with that plugin you will also get the resizer.debug.ashx. This little thingy is actually showing a lot of information about your website to the world.

The page is actually part of the Diagnotics plugin and can be disabled by using the resizer section in web.config. If you can see ASP.NET error messages, you will also be able to get the diagnostics page. This ensures that the diagnostics page never exposes data to a host that doesn't already have access to detailed error messages, make sure you have configured the customError section correct in you web.config.

Example of information exposed from one partner website:

Environment information:

Running Microsoft-IIS/8.5 on Microsoft Windows NT 6.3.9600.0 and CLR 4.0.30319.42000
Trust level: Unrestricted
OS bitness: AMD64
Executing assembly: c:\windows\system32\inetsrv\w3wp.exe
IntegratedPipeline: True

Loaded assemblies:

mscorlib                                 Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Web                               Assembly: 4.0.0.0         File: 4.6.1069.1      Info: 4.6.1069.1
System                                   Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Core                              Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Web.ApplicationServices           Assembly: 4.0.0.0         File: 4.6.1069.1      Info: 4.6.1069.1
System.Configuration                     Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Xml                               Assembly: 4.0.0.0         File: 4.6.1064.2      Info: 4.6.1064.2
System.Runtime.Caching                   Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
Microsoft.Build.Utilities.v4.0           Assembly: 4.0.0.0         File: 4.0.30319.33440 Info: 4.0.30319.33440
Microsoft.JScript                        Assembly: 10.0.0.0        File: 14.0.1055.0     Info: 14.0.1055.0

I guess many of us does not care but I think it is a good idea to hide that information and we forget to set the right customErrors. Another way of removing information is to use a rewrite rule in your project like the one below instead of removing the plugin or rely on customerrors section.

       <rule name="ImageResizer"
      patternSyntax="Wildcard"
      stopProcessing="true">
          <match url="*" />
          <conditions>
            <add input="{URL}"
                 pattern="/*.ashx" />

          </conditions>
          <action type="CustomResponse"
                  statusCode="404"
                  statusReason="File or directory not found."
                  statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
        </rule>
Apr 22, 2016

Comments

valdis
valdis Apr 24, 2016 05:01 PM

Nice catch. Is it so, that you are disabling *any* Http handler by adding pattern "/*.ashx"?

Eric
Eric Apr 24, 2016 09:01 PM

In this case I believe so ;)  But it is more of an exampel but it will work in this case. If you have other handlers you will need to have another rewrite condition.

Frederik Vig
Frederik Vig Apr 26, 2016 03:12 PM

It's only available for localhost (by default at least).

Eric
Eric Apr 26, 2016 04:22 PM

Hmm not sure what you mean with localhost!? I have tried this on a couple of websites using imageresizer and I get this information. :) 

valdis
valdis Apr 26, 2016 11:02 PM

Digging more into this stuff:

1) You can disable this handler not by addign rewrite rule (and potentially disabling *any* handler your site might have) - but instead, adding element to your element.

2) this handler is enabled because most probably is set to "Off". Double check your web.config file.

Eric
Eric Apr 26, 2016 11:10 PM

Thanks for all comment and yes I mentioned that in the post but could have been in more detail perhaps :) 

"The page is actually part of the Diagnotics plugin and can be disabled by using the resizer section in web.config. If you can see ASP.NET error messages, you will also be able to get the diagnostics page. This ensures that the diagnostics page never exposes data to a host that doesn't already have access to detailed error messages, make sure you have configured the customError section correct in you web.config."

Please login to comment.
Latest blogs
Change the IP HTTP Header used for geo-lookup in Application Insights

.

Johan Kronberg | Jun 10, 2024 | Syndicated blog

Copying property values

In this article I’d like to show simple Edit Mode extension for copying property values to other language versions. In one of my previous blogposts...

Grzegorz Wiecheć | Jun 8, 2024 | Syndicated blog

Auto-translate with OpenAI GPT-4o in Optimizely CMS

Improvements for Episerver.Labs.LanguageManager! It's now possible to auto-translate both a page and its children at the same time! Additionally, m...

Tomas Hensrud Gulla | Jun 7, 2024 | Syndicated blog

Upgrade To Optimizely CMS 12 Issue: List item fields have become Required

There are many funny details to be aware of when upgrading from Episerver CMS 11 to Optimizely CMS 12. One of them that might feel a bit confusing ...

Allan Thraen | Jun 7, 2024 | Syndicated blog