Improve your security settings in IIS

Our software messageconcept PeopleSync uses the Microsoft Internet Information Services to publish contact data via the CardDAV protocol over HTTPS. The Austrian national Computer Emergency Response Team (CERT) published a bulletin regarding a critical security vulnerability in CGI this week. CERT recommends to change to change the webserver configuration immediately to hide the following information in the HHTP header for script access:

  • Proxy
  • Proxy_Host
  • Proxy_Port
  • Proxy_User
  • Proxy_Pass
  • Proxy_Password

As PeopleSync uses FastCGI, CERT recommends to apply the following rules in the apphost.config file to filter some environment variables:

<system.webServer>
<rewrite>
<rules>
<rule name=”Erase HTTP_PROXY” patternSyntax=”Wildcard”>
<match url=”*.*” />
<serverVariables>
<set name=”HTTP_PROXY” value=”” />
</serverVariables>
<action type=”None” />
</rule>
</rules>
</rewrite>
</system.webServer>

In general, CERT recommends to patch all software components with the latest fixes. messageconcept also recommends to update PeopleSync to version 16.1. Besides new functionality, the new release supports PHP 5.6 to patch security flaws in PHP.

news cert at logo news cert at logo news cert at logo

messageconcept PeopleSync is the synchronization platform for your contact data. All contacts of the email systems, databases and enterprise solutions of your company are thus available on every mobile device and the work places of your employees.

Our software brings the phone numbers and address data of your employees, customers, partners and suppliers according to your IT policies to your smartphones, tablets and computers of your entire staff.

On our download pages you are able to get fully functional evaluation versions of our products. Therefore you have the chance to trial our software for free before purchase without any risk.

In our online shop, you are able to calculate your individual product price, retrieve formal quotes and purchase licenses.