TFS Web Services

TFS 2010 The following are instructions for TFS 2010 Web Services, Web Access, and Dashboards to work around the security vulnerability in ASP.NET (2416728). TFS Web Services 1. On each machine with the TFS Application Tier, browse to the TFS installation directory %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services2. Create a file called error.aspx with the following content:<%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %><script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 404; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script><html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html> 3. Copy the web.config file to web.config.original4. Edit the web.config file 5. Find the line with the customerErrors tag (e.g. <customErrors mode="On" />) 6. Replace that line with <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/>7. Save the web.config file8. Run iisreset /noforceReturn TFS Web Services to Original Settings 1. On each machine with the TFS Application Tier, browse to the TFS installation directory %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services2. Copy web.config.original to web.config3. Delete error.aspx4. Run iisreset /noforceTFS Web Access 1. On each machine with Web Access installed, browse to the directory that contains the Web Access error page %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Access\ Web\UI\Pages2. Copy Error.aspx to Error.aspx.original3. Edit error.aspx, select all, delete. Insert the following content:<%@ Page Language="C#" AutoEventWireup="true" ShowPageHeader="true" Inherits="Microsoft.TeamFoundation.WebAccess.UI.Pages.Error" Codebehind="Error.aspx.cs" %> <%@ Register Src="../Controls/PageHeader.ascx" TagName="PageHeader" TagPrefix="dbz" %> <%@ Register Src="../Controls/PageFooter.ascx" TagName="PageFooter" TagPrefix="dbz" %> <%@ Register Assembly="Microsoft.TeamFoundation.WebAccess.Controls" Namespace="Microsoft.TeamFoundation.WebAccess.Controls" TagPrefix="dbz" %> <%@ Register Assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" Namespace="System.Web.UI" TagPrefix="asp" %> <%@ Import NameSpace="System.Security.Cryptography" %> <%@ Import NameSpace="System.Threading" %><html xmlns="http://www.w3.org/1999/xhtml"> <head id="Head1" runat="server"> <title></title> <base target="_self" /> </head> <body style="overflow: hidden;"> <form id="form1" runat="server" style="width: 100%; height: 100%" class="tswa-font"> <asp:ScriptManager ID="scMan" runat="server" ScriptMode="Auto" /> <dbz:PageHeader ID="pghd" runat="server" ShowTabs="false" EnableViewState="false" ErrorScope="Raise" /> <div style="padding-left: 10px; padding-right: 10px;"> <div class="err fill-w" style="font-size: large; margin-bottom: 10px; margin-top: 10px;"> Error </div> <asp:Panel runat="server" visible="false" > <div id="errorTitle" runat="server" style="font-size: larger; font-weight: bold;">Error Message</div> <pre id="errorDetail" runat="server">Error Detail</pre> </asp:Panel> <% Response.StatusCode = 200; byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]);IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } Response.Write("An error occurred while processing your request."); %> </div> <dbz:PageFooter ID="pgft" runat="server" EnableViewState="false" ErrorScope="Raise" /> </form> </body> </html> 4. Save error.aspx file5. Browse to the directory that contains the Web Access web.config file: %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services\web6. Copy the web.config file to web.config.original7. Edit the web.config file 8. Find the line with the customerErrors tag (e.g. <customErrors mode="Off" />)9. Replace that line with <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/UI/Pages/error.aspx"/>10. Save the web.config file11. Run iisreset /noforceReturn TFS Web Access to Original Settings 1. On each machine with Web Access installed, browse to the directory that contains the Web Access error page %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Access\ Web\UI\Pages2. Copy Error.aspx.original to Error.aspx3. Browse to the directory that contains the Web Access web.config file: %Program Files%\Microsoft Team Foundation Server 2010\Application Tier\Web Services\web4. Copy the web.config.original file to web.config5. Run iisreset /noforceTFS Dashboards Since TFS Dashboards run inside of Sharepoint follow the steps outlined on the Microsoft Sharepoint Team Blog regarding this issue.TFS Proxy Web Services You will need to add a custom error.aspx page and modify the web.config for the proxy web service using the following steps:1- browse to the TFS installation directory %Program Files%\Microsoft Team Foundation Server 2010\Version Control Proxy\Web Services 2- Create a file called error.aspx with the following content:<%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 404; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script><html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html> 3- Copy the web.config file to web.config.original4- Edit the web.config file 5- Search for an existing <customErrors> tag and remove it if found6- Add the following new customErrors tag under configuration/system.web: <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/>7- Save the web.config file8- Once done modifying all of the folders, run: iisreset /noforce TFS 2008 The following are instructions for TFS Web Services 2008 and Team System Web Access 2008 to work around the security vulnerability in ASP.NET (2416728). TFS 2008 Web Services You will need to add a custom error.aspx page and modify the web.config for each web service. Repeat the following steps for each web.config under %ProgramFiles%\Microsoft Visual Studio 2008 Team Foundation Server\Web Services\. This includes the following paths:1. [TFS2008InstallLocation]\Web Services\2. [TFS2008InstallLocation]\Web Services\Build3. [TFS2008InstallLocation]\Web Services\Services4. [TFS2008InstallLocation]\Web Services\VersionControl5. [TFS2008InstallLocation]\Web Services\Warehouse6. [TFS2008InstallLocation]\Web Services\WorkItemTracking9. Create a file called error.aspx with the following content:<%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %><script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 404; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script><html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html> 10. Copy the web.config file to web.config.original11. Edit the web.config file 12. Search for an existing <customErrors> tag and remove it if found13. Add the following new customErrors tag under configuration/system.web: <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/>14. Save the web.config file15. Repeat steps 1-6 for the other folders under Web Services that contain a web.config file.Once done modifying all of the folders, run: iisreset /noforceReturn TFS 2008 Web Services to Original Settings For each of the web service folder listed above:5. Copy web.config.original to web.config6. Delete error.aspxOnce completed, run: iisreset /noforceTeam System Web Access 2008 Perform the following steps on the web and wiwa folders under the Web Access installation directory- %ProgramFiles%\Microsoft Visual Studio 2008 Team System Web Access\Web- %ProgramFiles%\ Microsoft Visual Studio 2008 Team System Web Access\Wiwa1. Create a file called error.aspx with the following content:<%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %> <script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 200; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script><html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html> 2. Copy the web.config file to web.config.original3. Edit the web.config file 4. Search for the existing “customErrors” tag and replace it with:<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/>5. Search for the “outputCompression” tag and replace it with: <outputCompression enabled="false" />6. Save the web.config fileOnce done modifying all of the folders, run: iisreset /noforceReturn Team System Web Access 2008 to Original Settings For both the “web” and “wiwa” folders (listed above):1. Copy web.config.original to web.config2. Delete error.aspx Once completed, run: iisreset /noforceTFS Proxy Web Services You will need to add a custom error.aspx page and modify the web.config for the proxy web service using the following steps:9- Go to path [TFS2008InstallLocation]\WebServices\VersionControlProxy\10- Create a file called error.aspx with the following content:<%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %><script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 404; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script><html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html> 11- Copy the web.config file to web.config.original12- Edit the web.config file 13- Search for an existing <customErrors> tag and remove it if found 14- Add the following new customErrors tag under configuration/system.web: <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/>15- Save the web.config file16- Once done modifying all of the folders, run: iisreset /noforce TFS 2005 The following are instructions for TFS Web Services 2005 to work around the security vulnerability in ASP.NET (2416728). TFS 2005 Web Services You will need to add a custom error.aspx page and modify the web.config for each web service. Repeat the following steps for each web.config under %ProgramFiles%\Microsoft Visual Studio 2005 Team Foundation Server\Web Services\. This includes the following paths: [TFS2005InstallLocation]\Web Services\ [TFS2005InstallLocation]\Web Services\Build [TFS2005InstallLocation]\Web Services\Services [TFS2005InstallLocation]\Web Services\VersionControl [TFS2005InstallLocation]\Web Services\Warehouse [TFS2005InstallLocation]\Web Services\WorkItemTracking1. Create a file called error.aspx with the following content:<%@ Page Language="C#" AutoEventWireup="true" %> <%@ Import Namespace="System.Security.Cryptography" %> <%@ Import Namespace="System.Threading" %><script runat="server"> void Page_Load() { byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); Response.StatusCode = 404; IDisposable disposable = prng as IDisposable; if (disposable != null) { disposable.Dispose(); } } </script><html> <head runat="server"> <title>Error</title> </head> <body> <div> An error occurred while processing your request. </div> </body> </html> 2. Copy the web.config file to web.config.original3. Edit the web.config file 4. Search for an existing <customErrors> tag and remove it if found5. Add the following new customErrors tag under configuration/system.web: <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/>For web.configs that does not have this node add it under the <system.web> tag if the system.web tag does not exist you can add it under the configuration node<system.web><customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx"/></system.web>6. Save the web.config file7. Repeat steps 1-6 for the other folders under Web Services that contain a web.config file.Once done modifying all of the folders, run: iisreset /noforceReturn TFS 2005 Web Services to Original Settings For each of the web service folder listed above:7. Copy web.config.original to web.config8. Delete error.aspxOnce completed, run: iisreset /noforce

TFS Web Services

Details

Download

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

Support