TFS Web Services

TFS 2010 The following are instructions for TFS 2010 Web Services, Web Access, and Dashboards to work around the security vulnerability in ASP.NET (2416728). TFS Web Services 1. On each machine with the TFS Application Tier, browse to the TFS installation directory %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services 2. Create a file called error.aspx with the following content: <%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 404; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script> 3. 4. 5. 6. 7. 8. <html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html> Copy the web.config file to web.config.original Edit the web.config file Find the line with the customerErrors tag (e.g. <customErrors mode="On" />) Replace that line with <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/> Save the web.config file Run iisreset /noforce Return TFS Web Services to Original Settings 1. On each machine with the TFS Application Tier, browse to the TFS installation directory %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services 2. Copy web.config.original to web.config 3. Delete error.aspx 4. Run iisreset /noforce TFS Web Access 1. On each machine with Web Access installed, browse to the directory that contains the Web Access error page %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Access\ Web\UI\Pages 2. Copy Error.aspx to Error.aspx.original 3. Edit error.aspx, select all, delete. Insert the following content: <%@ Page Language="C#" AutoEventWireup="true" ShowPageHeader="true" Inherits="Microsoft.TeamFoundation.WebAccess.UI.Pages.Error" Codebehind="Error.aspx.cs" %> <%@ Register Src="../Controls/PageHeader.ascx" TagName="PageHeader" TagPrefix="dbz" %> <%@ Register Src="../Controls/PageFooter.ascx" TagName="PageFooter" TagPrefix="dbz" %> <%@ Register Assembly="Microsoft.TeamFoundation.WebAccess.Controls" Namespace="Microsoft.TeamFoundation.WebAccess.Controls" TagPrefix="dbz" %> <%@ Register Assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Namespace="System.Web.UI" TagPrefix="asp" %> <%@ Import NameSpace="System.Security.Cryptography" %> <%@ Import NameSpace="System.Threading" %> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1" runat="server"> <title></title> <base target="_self" /> </head> <body style="overflow: hidden;"> <form id="form1" runat="server" style="width: 100%; height: 100%" class="tswa-font"> <asp:ScriptManager ID="scMan" runat="server" ScriptMode="Auto" /> <dbz:PageHeader ID="pghd" runat="server" ShowTabs="false" EnableViewState="false" ErrorScope="Raise" /> <div style="padding-left: 10px; padding-right: 10px;"> <div class="err fill-w" style="font-size: large; margin-bottom: 10px; margin-top: 10px;"> <img src="~/Resources/Images/error.gif" alt="" id="imgError" runat="server" align="absMiddle" /> <span id="pgHeader" runat="server">Error</span> </div> <asp:Panel runat="server" visible="false" > <div id="errorTitle" runat="server" style="font-size: larger; font-weight: bold;">Error Message</div> <pre id="errorDetail" runat="server">Error Detail</pre> </asp:Panel> <% Response.StatusCode = 200; byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); 4. 5. 6. 7. 8. 9. 10. 11. IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } Response.Write("An error occurred while processing your request."); %> </div> <dbz:PageFooter ID="pgft" runat="server" EnableViewState="false" ErrorScope="Raise" /> </form> </body> </html> Save error.aspx file Browse to the directory that contains the Web Access web.config file: %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services\web Copy the web.config file to web.config.original Edit the web.config file Find the line with the customerErrors tag (e.g. <customErrors mode="Off" />) Replace that line with <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/UI/Pages/error.aspx"/> Save the web.config file Run iisreset /noforce Return TFS Web Access to Original Settings 1. On each machine with Web Access installed, browse to the directory that contains the Web Access error page %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Access\ Web\UI\Pages 2. Copy Error.aspx.original to Error.aspx 3. Browse to the directory that contains the Web Access web.config file: %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services\web 4. Copy the web.config.original file to web.config 5. Run iisreset /noforce TFS Dashboards Since TFS Dashboards run inside of Sharepoint follow the steps outlined on the Microsoft Sharepoint Team Blog regarding this issue. TFS Proxy Web Services You will need to add a custom error.aspx page and modify the web.config for the proxy web service using the following steps: 1- browse to the TFS installation directory %Program Files%\Microsoft Team Foundation Server 2010\Version Control Proxy\Web Services 2- Create a file called error.aspx with the following content: <%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 404; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script> <html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> 345678- </html> Copy the web.config file to web.config.original Edit the web.config file Search for an existing <customErrors> tag and remove it if found Add the following new customErrors tag under configuration/system.web: <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/> Save the web.config file Once done modifying all of the folders, run: iisreset /noforce TFS 2008 The following are instructions for TFS Web Services 2008 and Team System Web Access 2008 to work around the security vulnerability in ASP.NET (2416728). TFS 2008 Web Services You will need to add a custom error.aspx page and modify the web.config for each web service. Repeat the following steps for each web.config under %ProgramFiles%\Microsoft Visual Studio 2008 Team Foundation Server\Web Services\. This includes the following paths: 1. 2. 3. 4. 5. 6. [TFS2008InstallLocation]\Web Services\ [TFS2008InstallLocation]\Web Services\Build [TFS2008InstallLocation]\Web Services\Services [TFS2008InstallLocation]\Web Services\VersionControl [TFS2008InstallLocation]\Web Services\Warehouse [TFS2008InstallLocation]\Web Services\WorkItemTracking 9. Create a file called error.aspx with the following content: <%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 404; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script> <html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html> 10. Copy the web.config file to web.config.original 11. Edit the web.config file 12. Search for an existing <customErrors> tag and remove it if found 13. Add the following new customErrors tag under configuration/system.web: <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/> 14. Save the web.config file 15. Repeat steps 1-6 for the other folders under Web Services that contain a web.config file. Once done modifying all of the folders, run: iisreset /noforce Return TFS 2008 Web Services to Original Settings For each of the web service folder listed above: 5. Copy web.config.original to web.config 6. Delete error.aspx Once completed, run: iisreset /noforce Team System Web Access 2008 Perform the following steps on the web and wiwa folders under the Web Access installation directory - %ProgramFiles%\Microsoft Visual Studio 2008 Team System Web Access\Web %ProgramFiles%\ Microsoft Visual Studio 2008 Team System Web Access\Wiwa 1. Create a file called error.aspx with the following content: <%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 200; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script> <html> 2. 3. 4. 5. 6. <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html> Copy the web.config file to web.config.original Edit the web.config file Search for the existing “customErrors” tag and replace it with: <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/> Search for the “outputCompression” tag and replace it with: <outputCompression enabled="false" /> Save the web.config file Once done modifying all of the folders, run: iisreset /noforce Return Team System Web Access 2008 to Original Settings For both the “web” and “wiwa” folders (listed above): 1. Copy web.config.original to web.config 2. Delete error.aspx Once completed, run: iisreset /noforce TFS Proxy Web Services You will need to add a custom error.aspx page and modify the web.config for the proxy web service using the following steps: 9- Go to path [TFS2008InstallLocation]\WebServices\VersionControlProxy\ 10- Create a file called error.aspx with the following content: <%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 404; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script> 111213141516- <html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html> Copy the web.config file to web.config.original Edit the web.config file Search for an existing <customErrors> tag and remove it if found Add the following new customErrors tag under configuration/system.web: <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/> Save the web.config file Once done modifying all of the folders, run: iisreset /noforce TFS 2005 The following are instructions for TFS Web Services 2005 to work around the security vulnerability in ASP.NET (2416728). TFS 2005 Web Services You will need to add a custom error.aspx page and modify the web.config for each web service. Repeat the following steps for each web.config under %ProgramFiles%\Microsoft Visual Studio 2005 Team Foundation Server\Web Services\. This includes the following paths:       [TFS2005InstallLocation]\Web Services\ [TFS2005InstallLocation]\Web Services\Build [TFS2005InstallLocation]\Web Services\Services [TFS2005InstallLocation]\Web Services\VersionControl [TFS2005InstallLocation]\Web Services\Warehouse [TFS2005InstallLocation]\Web Services\WorkItemTracking 1. Create a file called error.aspx with the following content: <%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 404; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script> <html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html> 2. Copy the web.config file to web.config.original 3. Edit the web.config file 4. Search for an existing <customErrors> tag and remove it if found 5. Add the following new customErrors tag under configuration/system.web: <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/> For web.configs that does not have this node add it under the <system.web> tag if the system.web tag does not exist you can add it under the configuration node <system.web> <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/> </system.web> 6. Save the web.config file 7. Repeat steps 1-6 for the other folders under Web Services that contain a web.config file. Once done modifying all of the folders, run: iisreset /noforce Return TFS 2005 Web Services to Original Settings For each of the web service folder listed above: 7. Copy web.config.original to web.config 8. Delete error.aspx Once completed, run: iisreset /noforce

TFS Web Services

Related documents

Products

Support

TFS Web Services

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib