Information
The Safe Controls list contains the names of controls and Web Parts, specific to your
SharePoint site, that server administrators can designate as safe for use on any .aspx page
within a site. This list is part of the Web.config file in your Web application root.
Rationale:
A fundamental assumption of SharePoint Server is that 'untrusted users' can upload and
create ASPX pages within the system on which SharePoint is running. These users should
be prevented from adding server-side code within ASPX pages, but there should be a list of
approved controls that those untrusted users can use. One way to provide these controls is
to create a Safe Controls list.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
1. Copy the <YourWebPartName>.dll assembly in the project's Bin directory to the Bin
directory in your Web application root directory. For example:
C:\inetpub\wwwroot\wss\VirtualDirectories\80\.
2. Locate the Web.config file in your application root directory and open it for editing.
3. Add the following safe-control entry for your custom assembly to the Web.config
file:
<SafeControl Assembly='<YourWebPartName>, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=null' Namespace='<YourWebPartNamespace>' TypeName='*'
Safe='True' AllowRemoteDesigner='True'/>
<YourWebPartName> is the name of the Web Part that is being deployed.
<YourWebPartNamespace> is the namespace that is associated with your Web Part.
Impact:
Malicious users can upload and create ASPX pages.