Posts in Category: Releases

mojoPortal 2.3.5.5 Released

I'm happy to announce the release of mojoPortal 2.3.5.5, available now on our download page.

A few weeks ago I was on the verge of releasing my new add on product In Site Analytics Pro, but when I tested the package I discovered that the graphs did not work in Medium Trust hosting. It turned out to be a problem with ZedGraph that was easily fixed by re-compiling it with the AllowPartialyTrustedCallers attribute set to true. However, since both mojoPortal and In Site Analytics use ZedGraph, they really need to both be compile against the same version of ZedGraph. There are ways around such issues with configuration to map assembly versions, but to keep things simple I decided to wait and release a new version of mojoPortal with the new version of ZedGraph before releasing In Site Analytics Pro. So I went through our list of to do items and things that have been requested by the community to find a few low hanging fruit items that could be finished quickly to make the mojoPortal upgrade more appealing. I will follow up in the next few days and make the first release In Site Analytics Pro, but it will require mojoPortal 2.3.5.5 or newer.

What's New?

In recent versions, we added a Facebook like button and a Tweet This button in the blog, in this release we made it also possible to have the Facebook like button and/or the Tweet This button in the RSS feed so that users who subscribe to the feed using Google Reader or other Feed Readers can also Like or Tweet your posts. We also added logic so that if a blog post is saved with a blank url, the url is generated by server side code.

Thanks to a good suggestion from Tim Cadenbach, we added some nice ajaxy transitions for the jQuery UI tabs and Accordion used in administrative features and elsewhere.

Added a setting in Site Settings to require a Captcha on the Registration page.

Added a setting in Site Settings to require users to type their email address twice on the registration page (to avoid typos during registration).

Added a setting in Site Settings to show a Password Strength Meter on the registration page to encourage strong passwords.

Added a setting in Site Settings to require a Captcha on the login page, not something I generally recommend doing but if your security requirements call for this it is now possible.

Added support for a new token in newsletters for #viewaswebpage# which is replaced with a link to the web page version of the newsletter.

There was a usability issue previously with the forum notification emails where an opt out link was shown for both the forum as a whole and for just the thread regardless of whether the user was really subscribed to both the forum and the thread. Now we have different notification templates for each scenario so that only opt out links are shown for notifications the user is actually subscribed to.

Added an automatic machine key generator to the Security Advisor page to make it easier to create a custom machine key.

screen shot of machine key generator

Bug Fixes

  • Fixed issue where ZedGraph was not working in Medium Trust
  • Fixed issue where multi file selection for bulk upload did not work in IE after a recent Flash update
  • Fixed Member list paging bug in pgsql data layer

Don't forget that we are moving this site to a new server this evening so there may be some down time during the move.

If you haven't already, please vote for mojoPortal in the 2010 Open Source CMS Awards

 

Vote For mojoPortal in the 2010 CMS Awards

 

Follow us on twitter or become a fan on Facebook

follow us on twitter become a fan on facebook

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal 2.3.5.4 Released

mojoPortal 2.3.5.4 is now available on our download page.

This is a compatibility update for the changes in ASP.NET that resulted from the security patch recently released by Microsoft and now available from Windows Update. I blogged about this issue previously and provided a workaround for the compatibility issue, this new release eliminates the need for the workaround.

Before the security update, there was a possibility for a System.Security.Cryptography.CryptographicException when decrypting the role cookie if the machine key had changed and the user was already authenticated. We already had error handling for this error, but after the security update the behavior changed and it would throw a more generic HttpException there which we were not handling, and this would cause users who were previously authenticated to experience an error until they cleared the cookie. Even without a machine key change, the same error could happen if a user was authenticated before the windows update was applied, the error could happen for that user after the update was applied (because there were also changes to how cookies are encrypted in the security update) In this release we have added handling for the new more generic exception so the cookie will be reset if this error occurs and the user will not experience an error on your site.

We've also removed the previous workaround for the ASP.NET security issue since it is not needed after the update is applied.

Other Changes

Thanks to Steve Railsback of Colorado State University we have some new CSS that can be used to add images to the Administration menu. It uses some Crystal Icons which are licensed under LGPL. I've updated many of the included skins that ship with mojoPortal to use the new icons, you can easily add them to your skin by adding this to your style.config file:

<file cssvpath="/Data/style/adminmenu/style.css" imagebasevpath="/Data/style/adminmenu/">none</file>

It will transform the admin menu from a plain looking vertical list to a list of images with hover effects like this:

screen shot of admin icons

This release also has:

  • upgrade to CKeditor 3.4.1
  • upgrade to TinyMCE 3.3.9.2
  • updated Italian resource files thanks to Diego Mora
  • fixed a bug where menu items that were configured as unclickable were still clickable in the breadcrumbs

I'd also like to point out a new article in the skinning documentation written by Steve Land, Using Wireframe Skins. Steve has shared a skin he designed to solve the problem of how to keep your discussions with clients focused on functionality when you need to. It is a very common issue that the customer can easily get side tracked onto colors and other visual aspects which is fine if you are trying to discuss the design but distracting if you are trying to focus the discussion on functionality or other non-design aspects of the site. The wireframe skin can help with this because it is designed to not be distracting and to clearly represent that the design is not what is being shown. Please let Steve know if you find his wireframe skin useful if there is interest he might make more variations.

Follow us on twitter or become a fan on Facebook

follow us on twitter become a fan on facebook

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal 2.3.5.3 Released

mojoPortal 2.3.5.3 is now available on our download page.

This is another security update in follow up to version 2.3.5.2 which we released on Friday afternoon to address 2 mojoPortal specific security issues and it had some initial defense against a more general ASP.NET vulnerability the full details of which were released Friday afternoon at a security conference in Argentina. On Friday night Microsoft released information about the vulnerability and a workaround to help protect sites until Microsoft can provide a fix to the underlying problem. On Saturday morning I updated the post for version 2.3.5.2 with the workaround information.

Over the weekend we continued to review how best to protect mojoPortal and this morning we are releasing mojoPortal 2.3.5.3.

This release has the same fixes provided in version 2.3.5.2, but also has the Microsoft suggested workaround pre-applied. Additionally, we have added a new page in the Administration Menu that can detect a few common configuration issues that affect security and provide links to information about how to correct the configuration. If a serious configuration issue is detected, it shows an alert in the Administration Menu to bring it to your attention.

screen shot of security alert in the administration menu

Note that in a multi site installation this page is only available in the root administrative site.

I strongly advise everyone to upgrade as soon as possible if you haven't already.

There was also a bug introduced in version 2.3.5.2, the fix I had made for the FileService issue had caused an error in the page if using the alternate File Manager (which doesn't use the file service). This issue is fixed in version 2.3.5.3

Note that in this release I also commented out the PageNotFoundHandlerModule in Web.config. I'm not 100% sure this is needed but it is probably better to play it safe. The downside is that users who click bad links will not see the friendly page not found page but the generic error page. 

For more details see also:

UPDATE 2010-09-25

Scott Guthrie of Microsoft just posted about an additional protection that can and should be applied at the server level. If you have control of your own server you should take the additional step of installing UrlScan and configuring a rule as indicated in the article.

http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx

UPDATE 2010-10-04

The fix for the ASP.NET  security bug is now available in windows update. However, the change has a negative side effect for the current release of mojoPortal which may cause authenticated users to experience an error on your site. The error occurs when trying to decrypt the role cookie which was encrypted before the update was applied. Previously, if there was an error decrypting a role cookie, it was throwing a System.Security.Cryptography.CrypotgraphicException (which we were handling so the user would not experience any error). After the windows update it now throws a more generic HttpException which the current release does not handle so the user will see the error page, and the only way to solve it is to clear the cookie. I have added handling for the changed error for the next release of mojoPortal. There is one workaround you can do right away to solve this problem, you can add code to the ErrorPage.aspx in the root to clear the role cookie so that at least the user will only see the error page one time. To do this, edit the ErrorPage.aspx file with a text editor. At the top add this:

<%@ Import Namespace="mojoPortal.Business" %>
<%@ Import Namespace="mojoPortal.Business.WebHelpers" %>
<%@ Import Namespace="mojoPortal.Web" %>

then add this code to the bottom of the Page_Load event:

try
        {
            SiteSettings siteSettings = CacheHelper.GetCurrentSiteSettings();
            if (siteSettings != null)
            {
                string roleCookieName = SiteUtils.GetRoleCookieName(siteSettings);
                HttpCookie roleCookie = new HttpCookie(roleCookieName, string.Empty);
                roleCookie.HttpOnly = true;
                roleCookie.Path = "/";
                HttpContext.Current.Response.Cookies.Add(roleCookie);
            }
        }
        catch{}

 

Follow us on twitter or become a fan on Facebook

follow us on twitter become a fan on facebook

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal 2.3.5.2 Released

mojoPortal 2.3.5.2 is now available on our download page.

This is an important security and bug fix release. All users of mojoPortal are urged to upgrade as soon as possible.

Yesterday a security exploit bulletin identifying 2 security vulnerabilities in mojoPortal 2.3.4.3 was posted on the internet. I was able to verify the issues still exist as of version 2.3.5.1, so I immediately began working on a fix. You can see the information on this page: http://www.exploit-db.com/exploits/15018/ however it might be wise to disable javascript or use the NoScript Firefox plugin when visiting that page just out of respect for what these guys are capable of. When I view the source of the exploit information page it seems to have a lot of javascript. Possibly there is nothing malicious about the page but better to use caution just in case.

Issue #1

The first issue listed in the exploit bulletin was an issue in the file manager service where it was possible to target an admin with a social engineering attack to make him visit a malicious web site specifically targeting his site while he was logged in as admin and this would allow the attacker to run some javascript which would call the file service on the ADMIN user's mojoPortal site using the move command to rename the user.config file. If the attack was successful then the site would stop working the next time the application pool recycles because the user.config file is no longer there so it would not be able to find the connection string. From this it is described as a DOS (Denial of Service) attack because it could take the site offline. By renaming the user.config to something with an unprotected file extension like user.config.aaa the attacker could then download the user.config file and capture the database connection string and potentially other sensitive data that might be stored in user.config.

Mitigating Factors

  • if the site is configured as recommended with only the /App_Data and /Data folders being writable by the web process, this attack would not work because the web process would not be able to rename the user.config file in the root. So the site would have to be mis-configured for this exploit to work.
  • this requires a targeted social attack against a specific admin user and a specific site. The admin user would have to be tricked into visiting a malicious site while logged in as admin in his mojoPortal site for it to work, and the malicious site would have to be coded to target the specific mojoPortal site belonging to the user. Also javascript would have to be enabled. When I visit random sites from internet searches or links people send to me, I use Firefox with NoScript plugin, and I recommend you do the same.
  • if the site is actively monitored the Denial of Service would be corrected quickly

Issue # 2

There was a cross site scripting vulnerability on the public profile page /ProfileView.aspx where we were appending the user name/id into the page title without sanitizing it first. Since we were not enforcing any rules on user name/id by default other than it must be unique, a user could register with a specially crafted string to add an external script to the page. The script could be used for malicious purposes such as stealing the authentication cookie of a user who visited the infected user profile page. The fix for this involved both sanitizing the user name/id before we append it to the title and also adding some validation of user names /id when the user registers to prevent characters that can be used for this kind of exploit such as angle brackets.

Mitigating Factors

  • The user name/id is shown on the member list and is html encoded there so that no exploit is possible. It would be easy to spot a malicious user name/id on the member list and then edit the user profile and lock the account.
  • For several versions now we have had an optional config setting for entering a regular expression for user name/id validation. Sites that were already using this would not be affected since the user would not be able to enter the malicious user name.

Potential Issue # 3

This one was not from this exploit bulletin, and is not specific to mojoPortal, but could potentially affect millions of ASP.NET sites. This article was brought to my attention by a community member, George Birbilis. 
http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx

The full details of the vulnerability have not been posted yet so I'm not 100% sure whether it will affect mojoPortal or not. I will have to review it once the full details are posted. However from what I gathered so far, it sounds like a real issue that will affect a lot of sites. When I first read the article, I thought it was saying that the hacker would use error messages received from the server to crack the machine key and then they could forge a cookie to get administrative access to a site. If that is true then it is not as bad because by default no error details are sent from the server, there would only be sent the 500 status code which indicates an error. However from reading comments on a few other places it sounds like they do not in fact need any error details but can gradually decipher the machine key through a lot of requests just using the response status codes 200 (success) 404 (not found) and 500 (error). I took steps in this release in case that is how it works to help protect against this attack. Basically what I did was make it always return a 404 if there is a cryptography error. So if the theory is true that they need to see the 500 status code this solution may protect against it. We will have to wait for the full details to know for sure. As I understand it the full details will be released today at a security conference.

UPDATE 2010-09-18

Microsoft has posted a Security Advisory 2416728  on TechNet which says they are investigating this problem to provide an update. They also provide a workaround. The workaround is basically to use a custom error page so that no error details are returned from the server. We already have that by default in mojoPortal where we use error.htm as the default error page. The only difference in their workaround suggestion, is that they use a custom.aspx page to show the generic error instead of plain html, and they use some logic to make a random amount of time for the thread to sleep so that timing of the 500 status code cannot easily be used as an alternate to error details. I recommend that you copy the C# version of the error page they provide into a text file named ErrorPage.aspx, put it in the root of your web site, and edit the web.config as follows (this is also shown in the Microsoft article):

  1. wrap the entire <system.web section inside a location element <location allowOverride="false"></location> - this might cause an error in some installations, if it does just skip it and follow step 2.
  2. find this in your Web.config file:

    <customErrors mode="RemoteOnly" defaultRedirect="Error.htm">
          <error statusCode="413" redirect="~/NeatUpload/Error413.aspx"/>
        </customErrors>

    and change it like this:

    <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx">
       
      </customErrors>
     

That should help defend against possible attacks until an update is available from Microsoft. For more details to understand this problem, see http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

You should also review the post installation check list to make sure you have configured your site securely.

UPDATE 2010-09-25

Scott Guthrie of Microsoft just posted about an additional protection that can and should be applied at the server level. If you have control of your own server you should take the additional step of installing UrlScan and configuring a rule as indicated in the article.

http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx

UPDATE 2010-10-04

The fix for the ASP.NET  security bug is now available in windows update. However, the change has a negative side effect for the current release of mojoPortal which may cause authenticated users to experience an error on your site. The error occurs when trying to decrypt the role cookie which was encrypted before the update was applied. Previously, if there was an error decrypting a role cookie, it was throwing a System.Security.Cryptography.CrypotgraphicException (which we were handling so the user would not experience any error). After the windows update it now throws a more generic HttpException which the current release does not handle so the user will see the error page, and the only way to solve it is to clear the cookie. I have added handling for the changed error for the next release of mojoPortal. There is one workaround you can do right away to solve this problem, you can add code to the ErrorPage.aspx in the root to clear the role cookie so that at least the user will only see the error page one time. To do this, edit the ErrorPage.aspx file with a text editor. At the top add this:

<%@ Import Namespace="mojoPortal.Business" %>
<%@ Import Namespace="mojoPortal.Business.WebHelpers" %>
<%@ Import Namespace="mojoPortal.Web" %>

then add this code to the bottom of the Page_Load event:

try
        {
            SiteSettings siteSettings = CacheHelper.GetCurrentSiteSettings();
            if (siteSettings != null)
            {
                string roleCookieName = SiteUtils.GetRoleCookieName(siteSettings);
                HttpCookie roleCookie = new HttpCookie(roleCookieName, string.Empty);
                roleCookie.HttpOnly = true;
                roleCookie.Path = "/";
                HttpContext.Current.Response.Cookies.Add(roleCookie);
            }
        }
        catch{}

 

Other Non Security Bug Fixes

  • fixed a long standing issue in the VirtualPathProvider that we use to serve the theme.skin file from the skin folder. For a long time this problem was not very noticeable because most skins did not have much variation in the theme.skin files, but more recently with our support for Artisteer we use settings in the them.skin file to control how markup is rendered so that we can add the needed markup for Artisteer and also the newer jQueryUI skin. The problem was that whatever skin was used first after the application startup, would have its theme.skin file cached and when pages with other skins were used it was getting the copy from the cache because the cache key was identical. Since the one in the cache may not have the correct settings then it could cause it to render incorrectly. The fix was to make sure they are uniquely cached. Note however that VirtualPathProvider does not work under medium trust in .NET 3.5 (it does work in 4.0), in that case all skins use the theme.skin file from App_Themes/default. For those in full trust or in .NET 4 hosting, you should see things work better in this release when using multiple skins or allowing user skins.
  • fixed an issue in folder based child sites where the canonical url rendered in the head was not correct, it was doubling the folder name.
  • fixed a bug where if using related sites mode, newly created sites were not correctly inheriting security settings from the parent site unitl you saved the parent site again and then it would propagate to the child sites.
  • fixed a bug where if using related sites mode, the admin and edit links were not shown consistently to site editors in child sites
  • fixed a bug where jquery script was disabled if you set the StyleSheetCombiner to not load jQuery UI
  • fixed a bug where the Superfish menu was not rendering the mouse over effects in .NET 4 - Thanks to Benedict for the solution!
  • fixed a bug where if FirstName and LastName were used as custom profile properties it was not loading them correctly
  • fixed a pgsql data layer error in the forums feature
  • fixed a SQL CE data layer error in the image gallery
  • added error handling to the feed manager so that if a feed is missing the required channel element it does not crash the page

 

Follow us on twitter or become a fan on Facebook

follow us on twitter become a fan on facebook

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

mojoPortal 2.3.5.1 Released

I'm happy to announce the release of mojoPortal 2.3.5.1, available now on our download page.

What's New?

jQuery UI Skin

This release includes a new skin based on jQuery UI, as described in my previous post, there is also a theme picker for choosing the jQuery UI theme. There are a bunch of pre-defined themes and you can roll your own with the jQueryUI theme roller, so this skin is like many skins in one.

A number of people have been asking in the forums about how to make menu items not clickable. Typically people want this when they are using a flyout menu like the jQuery Superfish menu or the horizontal menus used in Artisteer skins. Usually there is a parent page that is just a container for child pages that have the actual articles, and you may wish to make the parent menu item not clickable. If the user clicks it, it is the same as if they mouse over it, it just shows the child items and does not navigate to the page. This is now supported as described in the documentation article Un-clickable Menu Items.

Feature Setting Groups

This is something I've been meaning to do for a long time, when a feature has a lot of settings (like the blog for example), the settings page could become very daunting just because there are so many settings. By adding groups, we can organize the settings into logical groups that make it much easier for the user to digest because they can view one group at a time.

feature setting groups

A Few Blog Improvements

As the screen shot shows, there are some new settings for the blog. You can now add extra content into the blog side bar in 2 locations. This is suitable for adding a blog roll or an advertisement or other content you would like to add to the sidebar of the blog.

There is also a new Tweet This link available in the blog, located in the Social Settings.

Limiting Available Features by Roles

This is another popular request in the forums, many users have asked about being able to filter the list of available features by roles. This is now possible from Administration > Advanced Tools > Feature Configuration, you will see a new link for permissions next to each feature and you can set roles allowed to use the feature. Note that it only controls what is available in the list when creating new content, it does not change a user's permissions on existing instances of a feature.

Other Stuff

  • Upgraded from TinyMCE 3.3.7 to 3.3.8
  • Upgraded from CKeditor 3.3.1 to 3.3.2
  • Upgraded to the latest MySql Connector
  • Updated Italian resources thanks to Diego Mora
  • Updated German resources thanks to Jan Aengenvort
  • the Extra Skins download file has a new skin contributed by Nitin Sharma

Bug Fixes

  • fixed a redirect bug when using the MyPage feature in folder based child sites
  • fixed an issue where the tabs did not work correctly on the user profile and manage users pages in folder based child sites
  • fixed a bug where consuming the aggregate feed from on feed manager into another instance of Feed Manager caused the page to hang
  • fixed a bug where the download link in shared files did not always work correctly in IE 8
  • a few other bug fixes and enhancements based on feedback in the forums and by email

Upgrade Notes

After the previous release, 2 people reported errors upgrading and were not able to upgrade. I believe this issue happens only with SQL 2005 if it does not have all the service paks installed. This is related to changes we made to consolidate the MS SQL layer so it could support SqlAzure. In making the needed changes we made a conscious decision to drop support for SQL 2000, so our MS SQL Data layer is designed to support SQL 2005/2008/SqlAzure, but it turns out that SQL 2005 only works if you have the service paks installed. I was already running SQL 2005 Express with all service paks, so I did not anticipate any issues with SQL 2005, but apparently there are problems if you are not up to date on service paks. As always, you should backup your site and database before upgrading, and if you are using SQL 2005 you should check whether you have the service paks installed before upgrading.

 

Nominate mojoPortal for the 2010 CMS Awards

Follow us on twitter or become a fan on Facebook

follow us on twitter become a fan on facebook

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.