Views: 3341
Number of votes: 4
Average rating:

Hide resizer.debug.ashx from your website.

Many of us is using the popular http://imageresizing.net library for manipulate or resizing images on our website. But with that plugin you will also get the resizer.debug.ashx. This little thingy is actually showing a lot of information about your website to the world.

The page is actually part of the Diagnotics plugin and can be disabled by using the resizer section in web.config. If you can see ASP.NET error messages, you will also be able to get the diagnostics page. This ensures that the diagnostics page never exposes data to a host that doesn't already have access to detailed error messages, make sure you have configured the customError section correct in you web.config.

Example of information exposed from one partner website:

Environment information:

Running Microsoft-IIS/8.5 on Microsoft Windows NT 6.3.9600.0 and CLR 4.0.30319.42000
Trust level: Unrestricted
OS bitness: AMD64
Executing assembly: c:\windows\system32\inetsrv\w3wp.exe
IntegratedPipeline: True

Loaded assemblies:

mscorlib                                 Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Web                               Assembly: 4.0.0.0         File: 4.6.1069.1      Info: 4.6.1069.1
System                                   Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Core                              Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Web.ApplicationServices           Assembly: 4.0.0.0         File: 4.6.1069.1      Info: 4.6.1069.1
System.Configuration                     Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
System.Xml                               Assembly: 4.0.0.0         File: 4.6.1064.2      Info: 4.6.1064.2
System.Runtime.Caching                   Assembly: 4.0.0.0         File: 4.6.1055.0      Info: 4.6.1055.0
Microsoft.Build.Utilities.v4.0           Assembly: 4.0.0.0         File: 4.0.30319.33440 Info: 4.0.30319.33440
Microsoft.JScript                        Assembly: 10.0.0.0        File: 14.0.1055.0     Info: 14.0.1055.0

I guess many of us does not care but I think it is a good idea to hide that information and we forget to set the right customErrors. Another way of removing information is to use a rewrite rule in your project like the one below instead of removing the plugin or rely on customerrors section.

       <rule name="ImageResizer"
      patternSyntax="Wildcard"
      stopProcessing="true">
          <match url="*" />
          <conditions>
            <add input="{URL}"
                 pattern="/*.ashx" />

          </conditions>
          <action type="CustomResponse"
                  statusCode="404"
                  statusReason="File or directory not found."
                  statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
        </rule>
Apr 22, 2016

valdis
(By valdis, 4/24/2016 7:01:17 PM)

Nice catch. Is it so, that you are disabling *any* Http handler by adding pattern "/*.ashx"?

eric.pettersson
(By eric.pettersson, 4/24/2016 11:01:03 PM)

In this case I believe so ;)  But it is more of an exampel but it will work in this case. If you have other handlers you will need to have another rewrite condition.

frederik
(By frederik, 4/26/2016 5:12:38 PM)

It's only available for localhost (by default at least).

eric.pettersson
(By eric.pettersson, 4/26/2016 6:22:27 PM)

Hmm not sure what you mean with localhost!? I have tried this on a couple of websites using imageresizer and I get this information. :) 

valdis
(By valdis, 4/27/2016 1:02:19 AM)

Digging more into this stuff:

1) You can disable this handler not by addign rewrite rule (and potentially disabling *any* handler your site might have) - but instead, adding element to your element.

2) this handler is enabled because most probably is set to "Off". Double check your web.config file.

eric.pettersson
(By eric.pettersson, 4/27/2016 1:10:38 AM)

Thanks for all comment and yes I mentioned that in the post but could have been in more detail perhaps :) 

"The page is actually part of the Diagnotics plugin and can be disabled by using the resizer section in web.config. If you can see ASP.NET error messages, you will also be able to get the diagnostics page. This ensures that the diagnostics page never exposes data to a host that doesn't already have access to detailed error messages, make sure you have configured the customError section correct in you web.config."

Please login to comment.