TFS Web Services

TFS 2010 The following are instructions for TFS 2010 Web Services, Web Access, and Dashboards to work around the security vulnerability in ASP.NET (2416728).

TFS Web Services 1. On each machine with the TFS Application Tier, browse to the TFS installation directory %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services

2. Create a file called error.aspx with the following content:

<%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %>

4. Edit the web.config file

5. Find the line with the customerErrors tag (e.g. ) 6. Replace that line with

7. Save the web.config file

8. Run iisreset /noforce

Return TFS Web Services to Original Settings 1. On each machine with the TFS Application Tier, browse to the TFS installation directory %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services

2. Copy web.config.original to web.config

3. Delete error.aspx

TFS Web Access 1. On each machine with Web Access installed, browse to the directory that contains the Web Access error page %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Access\ Web\UI\Pages

2. Copy Error.aspx to Error.aspx.original

3. Edit error.aspx, select all, delete. Insert the following content:

<%@ Page Language="C#" AutoEventWireup="true" ShowPageHeader="true" Inherits="Microsoft.TeamFoundation.WebAccess.UI.Pages.Error" Codebehind="Error.aspx.cs" %> <%@ Register Src="../Controls/PageHeader.ascx" TagName="PageHeader" TagPrefix="dbz" %> <%@ Register Src="../Controls/PageFooter.ascx" TagName="PageFooter" TagPrefix="dbz" %> <%@ Register Assembly="Microsoft.TeamFoundation.WebAccess.Controls" Namespace="Microsoft.TeamFoundation.WebAccess.Controls" TagPrefix="dbz" %> <%@ Register Assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Namespace="System.Web.UI" TagPrefix="asp" %> <%@ Import NameSpace="System.Security.Cryptography" %> <%@ Import NameSpace="System.Threading" %>

prng.GetBytes(delay); Thread.Sleep((int)delay[0]);

IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } Response.Write("An error occurred while processing your request."); %>

5. Browse to the directory that contains the Web Access web.config file: %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services\web

6. Copy the web.config file to web.config.original

7. Edit the web.config file 8. Find the line with the customerErrors tag (e.g. )

9. Replace that line with

Return TFS Web Access to Original Settings 1. On each machine with Web Access installed, browse to the directory that contains the Web Access error page %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Access\ Web\UI\Pages

2. Copy Error.aspx.original to Error.aspx

3. Browse to the directory that contains the Web Access web.config file: %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services\web

4. Copy the web.config.original file to web.config

TFS Dashboards Since TFS Dashboards run inside of Sharepoint follow the steps outlined on the Microsoft Sharepoint Team Blog regarding this issue.

TFS Proxy Web Services You will need to add a custom error.aspx page and modify the web.config for the proxy web service using the following steps:

1- browse to the TFS installation directory %Program Files%\Microsoft Team Foundation Server 2010\Version Control Proxy\Web Services

2- Create a file called error.aspx with the following content:

4- Edit the web.config file

5- Search for an existing tag and remove it if found

6- Add the following new customErrors tag under configuration/system.web:

7- Save the web.config file

8- Once done modifying all of the folders, run: iisreset /noforce TFS 2008 The following are instructions for TFS Web Services 2008 and Team System Web Access 2008 to work around the security vulnerability in ASP.NET (2416728).

TFS 2008 Web Services You will need to add a custom error.aspx page and modify the web.config for each web service. Repeat the following steps for each web.config under %ProgramFiles%\Microsoft Visual Studio 2008 Team Foundation Server\Web Services\. This includes the following paths:

1. [TFS2008InstallLocation]\Web Services\

2. [TFS2008InstallLocation]\Web Services\Build

3. [TFS2008InstallLocation]\Web Services\Services

4. [TFS2008InstallLocation]\Web Services\VersionControl

5. [TFS2008InstallLocation]\Web Services\Warehouse

6. [TFS2008InstallLocation]\Web Services\WorkItemTracking

12. Search for an existing tag and remove it if found

13. Add the following new customErrors tag under configuration/system.web:

15. Repeat steps 1-6 for the other folders under Web Services that contain a web.config file.

Once done modifying all of the folders, run: iisreset /noforce

Return TFS 2008 Web Services to Original Settings For each of the web service folder listed above:

Once completed, run: iisreset /noforce

Team System Web Access 2008 Perform the following steps on the web and wiwa folders under the Web Access installation directory

- %ProgramFiles%\Microsoft Visual Studio 2008 Team System Web Access\Web

- %ProgramFiles%\ Microsoft Visual Studio 2008 Team System Web Access\Wiwa

4. Search for the existing “customErrors” tag and replace it with:

5. Search for the “outputCompression” tag and replace it with:

Return Team System Web Access 2008 to Original Settings For both the “web” and “wiwa” folders (listed above):

2. Delete error.aspx Once completed, run: iisreset /noforce

TFS Proxy Web Services You will need to add a custom error.aspx page and modify the web.config for the proxy web service using the following steps:

9- Go to path [TFS2008InstallLocation]\WebServices\VersionControlProxy\

10- Create a file called error.aspx with the following content:

12- Edit the web.config file

13- Search for an existing tag and remove it if found 14- Add the following new customErrors tag under configuration/system.web:

15- Save the web.config file

16- Once done modifying all of the folders, run: iisreset /noforce TFS 2005 The following are instructions for TFS Web Services 2005 to work around the security vulnerability in ASP.NET (2416728).

TFS 2005 Web Services You will need to add a custom error.aspx page and modify the web.config for each web service. Repeat the following steps for each web.config under %ProgramFiles%\Microsoft Visual Studio 2005 Team Foundation Server\Web Services\. This includes the following paths:

 [TFS2005InstallLocation]\Web Services\

 [TFS2005InstallLocation]\Web Services\Build

 [TFS2005InstallLocation]\Web Services\Services

 [TFS2005InstallLocation]\Web Services\VersionControl

 [TFS2005InstallLocation]\Web Services\Warehouse

 [TFS2005InstallLocation]\Web Services\WorkItemTracking

4. Search for an existing tag and remove it if found

5. Add the following new customErrors tag under configuration/system.web:

For web.configs that does not have this node add it under the tag if the system.web tag does not exist you can add it under the configuration node

7. Repeat steps 1-6 for the other folders under Web Services that contain a web.config file.

Return TFS 2005 Web Services to Original Settings For each of the web service folder listed above:

Once completed, run: iisreset /noforce