Security issue: Need to move site (change site number)

8/7/2012 2:48:20 PM

KevinR

Total Posts 19

View Posts

Security issue: Need to move site (change site number)

This is a security issue-- I need to move my default site 1 to another site #.

I discovered upon deleting a site that mojoPortal serves up site 1 if it doesn't recognize the host name. Suddenly, web requests for the deleted site are served by site 1! This exposes customers to embarrassment and security issues.

Is it possible to move or copy a site?
If not, is it reasonably possible to alter SiteId and SiteGuid in a minimum number of DB tables to effect a move?

I would like to leave the default site 1 empty so that deleted sites and erroneous IP bindings in IIS are not served with another customer's web content.

8/7/2012 3:40:28 PM

KevinR

Total Posts 19

View Posts

Re: Security issue: Need to move site (change site number)

If I had understood this behavior well in the first place I would never have allowed a customer site to be the default site. Instead, I would have created site 1 as an empty administrative site only.

A make-shift alternative solution would be to implement host name matching on site 1, and perhaps return the content of a particular HTML file or allow a redirect for non-matching host names.

8/7/2012 3:41:20 PM

Joe Davis

Total Posts 2239

View Posts

Re: Security issue: Need to move site (change site number)

Hi Kevin,

The simplest method for this would be to create a "blank" site and take note of it's ID. Then set the IsServerAdminSite=1 for that site in the mp_Sites table in your database. You should then set IsServerAdminSite=0 for the first site.

Your SiteIDs will remain the same but you will achieve the effect of having the blank site as your Admin site.

I definitely suggest you make a backup of your database before attempting this change.

HTH,
Joe D.

8/7/2012 4:16:56 PM

Joe Audette

Total Posts 18439

View Posts

Re: Security issue: Need to move site (change site number)

One thing you could try is altering the stored procedure mp_Sites_SelectOneByHost

Ideally one shouldn't modify the shipped procs but for an emergency like this I'd probably do that if I were you. It hasn't changed since 2006 and probably won't change so you could get away with it. I'd make yourself a note and a backup of the modifed sql statement juat in case it ever does get changed by a mojoportal upgrade.

You could create a specific site that you want to be the catchall and then hard code that site id in oplace of our current sql which just selects the first site ordered by site id.

Specifically you could replace this part of the sql:

DECLARE @SiteID int

SET @SiteID = COALESCE( (SELECT TOP 1 SiteID FROM mp_SiteHosts WHERE HostName = @HostName),
(SELECT TOP 1 SiteID FROM mp_Sites ORDER BY SiteID)
)

with

DECLARE @SiteID int

SET @SiteID = COALESCE( (SELECT TOP 1 SiteID FROM mp_SiteHosts WHERE HostName = @HostName),
(SELECT 15)
)

where 15 in this example is the hard coded site id to catch all un-assigned hosts that resolve to the ip.

You would need to make a similar change also in mp_SiteHosts_SelectSiteIdByHost

Not the prettiest solution but it should work and it is at least easy to do.

Hope that helps,

Joe

8/7/2012 4:44:29 PM

Jamie E

Total Posts 1203

View Posts

Help support mojoPortal!
Add-on modules

Re: Security issue: Need to move site (change site number)

Hey guys, I've never had to change site processing in mojoPortal, so just for my own knowledge:

Joe D. posted a workaround I've seen before for changing the admin site via the database, but is the problem that the admin site and the default site can be different? If so, maybe there should be a supported way to change the default site as well (like an "IsServerDefaultSite" database field, or a configuration key that could override it)? Or maybe the distinction should be removed, so the admin site is always considered the default site? It seems to me that either of these would be a better long-term solution than changing stored procedures.

Jamie

8/7/2012 4:49:33 PM

KevinR

Total Posts 19

View Posts

Re: Security issue: Need to move site (change site number)

Joe Davis,

All that does is change which site is the admin site. It does not change site 1 from being the default.

Joe Audette,

Yes, that sounds easy and effective and not too precarious. I suppose if it is ever changed, perhaps it would be an enhancement to allow selecting a default site? That change wouldn't hurt me anyway!

I think this might work even better:

SELECT TOP 1 SiteID FROM mp_Sites ORDER BY SiteID, HostName

A site having a blank HostName would order first and become the default, right? The lowest SideID ("1") would order first if host names were not being used, thus retaining the current behavior.

However, I would like to see the non-matching host case result in the administrator's choice of:

terminate the HTTP response (play dead)
return a generic 404 or 500 (no site page or identity revealed)
perform a 301 redirect to a specified URL

Of course, the latter could set up the potential for an endless loop so one would have to be careful with the redirect!

8/7/2012 5:01:14 PM

KevinR

Total Posts 19

View Posts

Re: Security issue: Need to move site (change site number)

Jamie,

First question: Yes. The admin site appears not to affect the default.

It would be most desirable to select the default site using a drop-down on the SiteList.aspx page. A configuration key would at least provide the choice, though less friendly. (mojo has too many config keys already, and perhaps an admin page should replace many of them?)

Pretty sure admin/default should remain separate. I can easily see wanting admin hidden, but a default very visible.

I don't necessarily want a default site at all in my case. I could create an entire site just to sit as an empty default, but I'd love to see the following options available if no default is available (no host name match or no default site is designated):

terminate the HTTP response (play dead)
return a generic 404 or 500 (no site page or identity revealed)
perform a 301 redirect to a specified URL

Many thanks!

-Kevin

8/7/2012 5:04:28 PM

Joe Davis

Total Posts 2239

View Posts

Re: Security issue: Need to move site (change site number)

Well, I didn't know there was a distinction between being the Admin site and the "default" site. If there's not a reason for that distinction, I'm all for removing it.

One quick question Kevin, if you don't want the site to respond to a certain domain, why can't you remove that domain from the site's bindings (host headers)? If you're not using host headers, I understand the problem. Either way, you could also use URL rewriting to prevent mojo from ever seeing the request.

Finally, this thread is going on my ever growing list of reasons one shouldn't use the Multiple Sites feature to host sites for different clients. Doing so leads to all kinds of ugliness when clients need to move their sites to another server or different hosting entirely. It makes upgrading more difficult because you have to coordinate with every client, fix any skinning issues that may arise from the upgrade (rare but when it happens needing to fix 50 skins in one maintenance window is real pain in the backside). Don't get me wrong, I use the Multiple Sites feature for many things and I think it's a great capability. The idea of two different clients using the same database for their website data is just very dirty to me.

Thanks,
Joe D.

8/7/2012 5:13:51 PM

KevinR

Total Posts 19

View Posts

Re: Security issue: Need to move site (change site number)

If you think about it, the default site would never have a host name applied to it, so wouldn't my SQL suggestion provide the easiest functional solution within the existing parameters? The lowest SiteID with no host name becomes the default.

Provision of a "no response", 404, or redirect when there is truly no default could be a possible feature enhancement. It's purpose would be to eliminate having to create a separate default site when only a blank page or redirect is desired.

8/7/2012 5:20:23 PM

Jamie E

Total Posts 1203

View Posts

Help support mojoPortal!
Add-on modules

Re: Security issue: Need to move site (change site number)

Those using Multiple Sites Based on Folder Names won't have separate host names to rely on. Your SQL could also result in the default site changing unexpectedly if every site had host names defined (this is probably the case in most multi-site installations--it is in ours), and a new site or host name were added that sorted lower than the existing ones.

Jamie

8/7/2012 5:33:06 PM

KevinR

Total Posts 19

View Posts

Re: Security issue: Need to move site (change site number)

Joe D.,

I didn't wish to complicate matters by indicating that I am both clients! However my sites serve entirely different purposes and the confusion and embarrassment potential is the same. The ability to move or export sites would be nice (and difficult to implement, I'm sure). Yet, I'd very much hate to have to maintain multiple mojo instances and databases.

I could address the problem with some URL rewriting, I suppose. Also, I should re-examine my bindings.

Generally, I run two IIS sites for each domain---one runs mojoPortal and is bound to a single canonical host name (i.e., www.example.com), and the second has no host name binding. The second IIS site performs a 301 redirect to the first. Any DNS host (i.e., w, ww, wwww, "no-www") or raw IP address will match the second site and be redirected to the canonical host name. I tend to share IPv4 addresses, while having separate IPv6 addresses to each site.

I use separate IIS sites for each domain so that logs are not co-mingled. They all share one application pool for mojoPortal.

Yes, I think I could potentially solve it with bindings. Thanks for pointing that out. Hope I provided some useful ideas.