Tim

Footprints in the snow of a warped mind

Umbraco developers - remember to disable the umbDebug settings when you go live

Blog Home About Me Photo Album The Site Doctor Blog Feed by Email Portfolio

Where to find me

Flickr Icon  Twitter Icon  Linked In Icon  FaceBook Icon  Windows Live Alerts Butterfly  RSS 2.0 

Business Protection by Crisis Cover

Tag Cloud

AJAX (4) Analysis (3) ASP (6) ASP.Net (57) Error Reporting (4) Web Service (2) WSDL (1) Atlas (2) Born In The Barn (1) Business (87) Business Start-up Advice (30) Client (17) Expanding Your Business (21) Recruitment (1) C# (20) Canoeing (4) Canoe Racing (5) Cheshire Ring Race (5) Racing (2) Training (4) CIMA (1) Cisco (1) 7970G (1) CMS (1) Code Management (1) Cohorts (3) Commerce4Umbraco (1) Content (1) Content Management (1) Content Management System (1) CSS (3) dasBlog (5) DDD (1) Design (10) Icons (1) Development (22) eCommerce (8) Employment (2) General (39) Christmas (6) Fun and Games (11) Internet (22) Random (46) RX-8 (8) Helpful Script (3) Home Cinema (2) Hosting (2) HTML (1) IIS (11) iPhone (1) JavaScript (4) jQuery (1) Marketing (6) Email (1) Multipack (1) MVC (1) Networking (3) Nintendo (1) Nuget (1) OS Commerce (1) Payment (1) Photography (1) PHP (1) PowerShell (2) Press Release (1) Productivity (2) Random Thought (1) Security (2) SEO (5) Server Maintenance (6) Server Management (11) Social Media (2) Social Networking (3) Experiment (1) Software (10) Office (5) Visual Studio (13) Windows (4) Vista (1) SQL (8) SQL Server (19) Statistics (2) Stored Procedure (1) TeaCommerce (1) Testing (2) The Site Doctor (125) Turnover Challenge (1) Twitter (3) uCommerce (9) Umbraco (29) 2009 (1) 2011 (1) Web Development (65) WebDD (33) Wii (1) XSLT (1)

Blog Archive

Search

<October 2011>
SunMonTueWedThuFriSat
2526272829301
2345678
9101112131415
16171819202122
23242526272829
303112345

Recent Comments

Total Comments: 21
View all 21 comments

Blog Archive

Various Links

Blogs I Read

[Feed] Google Blog
Official Google Webmaster Central Blog
[Feed] Matt Cutts
Gadgets, Google, and SEO
[Feed] Ol' Deano's Blog
My mate Dean's blog on my space, equally as random as mine but not off on as much of a tangent!
[Feed] Sam's Blog
Sam is one of my younger brothers studying Product Design and Manufacture at Loughborough, this is his blog :) Enjoy!

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

newtelligence dasBlog 2.2.8279.16125

Send mail to the author(s) Email Me (Tim Gaunt)

© 2012 Tim Gaunt.

Sign In

# Friday, October 28, 2011

Umbraco developers - remember to disable the umbDebug settings when you go live

Friday, October 28, 2011 12:05:41 PM (GMT Daylight Time, UTC+01:00)

Recently I've noticed a growing number of Umbraco developers forgetting to disable the Umbraco debug settings before going live. We all fall foul of this from time to time but it is a security loophole that you can patch incredibly easily.

If you're not familiar with the helpful debugging querystring parameters of umbDebug and umbDebugShowTrace they basically show you the ASP.Net trace output and highlight the various macros used on the page -there's also a useful toggle debugging in Umbraco bookmarklet on cpalm.dk.

Why you should disable trace

If you try it out on your site which has debugging enabled you'll get all sorts of helpful information output to the page including where your website is installed -all very helpful and interesting to hackers. It also identifies your site as an Umbraco site very quickly -again something you would want to avoid if at all possible.

How to disable the debug settings via the web.config

Umbraco helpfully has a built in flag in the web.config appSettings section which allows you to effortlessly toggle the debuging features on/off. To turn it off, search for "umbracoDebugMode" in your web.config and if it's set to "true", change it to false.

<add key="umbracoDebugMode" value="true" />

Should be:

<add key="umbracoDebugMode" value="false" />

For good measure you should also change ASP.Net's built in debug flag:

<compilation defaultLanguage="c#" debug="true" batch="false" targetFramework="4.0">

Should be:

<compilation defaultLanguage="c#" debug="false" batch="false" targetFramework="4.0">

Disable it using UrlRewriting.config

If you prefer the belts and braces method, you can add a rule to your UrlRewriting.config to redirect the user everytime the url includes something that looks suspicious. To do this, just add the following rewrites to your UrlRewriting.config (or replace it completely if you don't have any rules):

<urlrewritingnet xmlns="http://www.urlrewriting.net/schemas/config/2006/07"> 
          <rewrites> 
                    <add name="nodebugaspx" 
                        virtualUrl="(.*).aspx.*umbDebug.*" 
                        rewriteUrlParameter="IncludeQueryStringForRewrite" 
                        redirect="Application" 
                        destinationUrl="~$1.aspx" 
                        ignoreCase="true" />

                    <add name="nodebug" 
                        virtualUrl="(.*).*umbDebug.*" 
                        rewriteUrlParameter="IncludeQueryStringForRewrite" 
                        redirect="Application" 
                        destinationUrl="~$1" 
                        ignoreCase="true" /> 
          </rewrites> 
</urlrewritingnet>
 

Don't forget to follow me on Twitter.

Umbraco developers - remember to disable the umbDebug settings when you go live
Useful Links:  #  digg it!  del.icio.us  Technorati  email it!  Post CommentsComments [1]  Trackback LinkTrackback
CategoriesTags: ASP.Net | Development | The Site Doctor | Umbraco | Web Development
Template based on a design by Arcsin. Valid CSS & XHTML. Crisis Cover - Business continuity support.