Security Risk / Medium Trust

Post here for help with installing or upgrading mojoPortal pre-compiled release packages. When posting in this forum, please provide all relevant details. You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

Post here for help with installation of mojoPortal pre-compiled release packages

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.

You may also want to review the installation or upgrading documentation.

If you have questions about using the source code or working with mojoPortal in Visual Studio, please post in the Developer forum.

This thread is closed to new posts. You must sign in to post in the forums.
9/24/2009 4:41:29 AM
grumbirky
Gravatar
Total Posts 14
View Posts
"I call the big one Bitey"

Security Risk / Medium Trust

Hello, I have a problem with security and Medium Trust. I have 2 installations of MojoPortal on my machine, one is a fresh install in IIS 5, on XP, .NET framework 3.5; the other through source code in Visual Studio 2008 (as I've got a custom module going on).

Problems I am getting are these:

1) In the straight forward install on IIS, I'm getting a prompt in Internet Explorer on every page: " This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?"
I can disable this in 'Internet Options' by changing the 'Access data sources across domains' to Enable in Security Settings, but that would be bad for users to have to do that.. It's just a straight forward Virtual Site in the root of IIS as far as I know, so is there something I'm missing here?

2) According to the WebParts section in the Admin area, both sites are running in Medium Trust, yet according to my .NET web.config file it's running in Full Trust. There aren't any errors in the System Log, and NeatUpload works, so this is confusing me greatly. I've spent days Googling this to no avail. I thought it might have had something to do with the other issue I'm having, but after having a go at putting the site in Medium Trust I still get the prompt.

If you could help then I would be very appreciative!

 

Cheers,
Graham

9/24/2009 5:07:04 AM
grumbirky
Gravatar
Total Posts 14
View Posts
"I call the big one Bitey"

Re: Security Risk / Medium Trust

Oh, sorry, MojoPortal version 2.3.1.7 running on XP Pro, IIS 5.1, SQL Server 2005. Smile

9/24/2009 1:36:49 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Security Risk / Medium Trust

Thats a browser warning not related to medium trust.

No idea why you get that message but I suspect something in your content or custom module rather than something intrinsic to mojoportal. You don't get that error on demo.mojoportal.com do you?

The WebPart issue seems to be a new bug, its doing the same on my local machine. I will look into it.

Best,

Joe

9/24/2009 2:03:46 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Security Risk / Medium Trust

I just fixed the WebPart issue. It will be fixed in svn trunk by tomorrow and fixed in the next release.

Thanks,

Joe

9/25/2009 3:17:33 AM
grumbirky
Gravatar
Total Posts 14
View Posts
"I call the big one Bitey"

Re: Security Risk / Medium Trust

Cool beans, thank you Joe!

The browser thing must be something odd in my IIS setup I reckon, I bet it's an obscure setting I haven't ticked or something. At least I know now that it's unrelated to the Medium Trust issue.

Thanks again!
Graham

9/25/2009 6:39:35 AM
grumbirky
Gravatar
Total Posts 14
View Posts
"I call the big one Bitey"

Re: Security Risk / Medium Trust

After some testing and tinkering, I think it's the outputted line:
<link rel='stylesheet' type='text/css' href='http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/cupertino/ui.all.css' />
that seems to be bringing up the browser error. The links to the .js files seem to be fine..

In theory I could host it locally by following  http://www.mojoportal.com/intranets-and-private-networks.aspx
but I think I'll wait to see if the problem exists when on our test server.

Oh and the MojoPortal demo site doesn't come up with any errors like it, so I'm thinking it's just User Error.

Thanks again!

9/25/2009 7:00:06 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Security Risk / Medium Trust

So it sounds like some IE security warning triggered by loading a css file from a different domain. I think its because browser settings for the local zone where localhost runs may be configured too strictly. It doesn't want to allow loading this file in the intranet/local zone. So the problem may not happen on a real server because the site will run in the internet zone not the local zone as far as IE is concerned.

It seems like totally an IE issue I don't think its related to IIS.

I'm not sure about the default browser security for IE on XP, I did not think it was that strict but I've certainly seen how IE is so locked down on Win 2003 server by default. Possibly if your xp machine is a domain member then strict browser settings may get pushed down by group policy.

Hope it helps,

Joe

11/2/2009 11:15:25 PM
Dominique
Gravatar
Total Posts 68
View Posts

Re: Security Risk / Medium Trust

Hi,

I am having the same error come up.

I didn't use to have it but after upgrading to 2.3.1.9 MSSQL recently I seem to get this message in IE7.

I searched and came across this post on this site http://groups.google.com/group/mxajax/browse_thread/thread/90de7a45a96a4987

Which says "Make sure the AJAX URL starts with the same domain name as the site in which it's being requested."

But I can't do that because the site is http://asia.iwmi.org/ and the ajax in mojo is http://ajax.googleapis.com/

I cant host the Ajax on each domain as i have so many project web sites on varying domains.

Any other suggestions?

Dominique

11/4/2009 3:27:41 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Security Risk / Medium Trust

Does this happen on localhost or a public internet site? IE has different security settings for the local or intranet zone vs the internet zone. So if this issue happens on localhost it does not mean it will happen on production.

You can host the files locally to your installation, its not per domain it would need to have the files installed its per installation.

Hope it helps,

Joe

11/6/2009 8:25:17 AM
nwacek
Gravatar
Total Posts 4
View Posts

Re: Security Risk / Medium Trust

We've been dealing with this same "warning" from IE7...

The issue is as you described Joe - for sites determined to be in the "Local Intranet" zone, IE warns against the references that load the JavaScript from the Google CDN. Adding the site to the "Trusted Sites" list solves the issue, but this is not an option in many environments (those that enforce a list of trusted sites via Group Policy). The option of switching to local hosting of these files will resolve this warning.

One work around I'm debating implementing in one of my intranet portal sites is to setup a periodic server-side HTTPRequest to fetch these files from the Google CDN. After retrieving the files; save/update any existing equivalent scripts on the local server scripts folder, and deliver them up to the client via the local hosting option. Granted, the downside is still that the end-user doesn't get the caching/reuse benefits of the direct CDN reference, but at least I'm not worrying about manually maintaining copies of these script files locally when I don't need to.

11/6/2009 8:39:45 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Security Risk / Medium Trust

Hi Neil,

The files can still be cached by the browser when served locally. With the CDN the files may be cached before he even visits your site if he visits another site that uses the same version of the script from google CDN, but that is generally a very minor benefit.

I don't think its worth the effort to try and build something to auto update the files. For one thing the files don't change on google CDN, the files are version specific and have version specific urls, so for example when the next version of jquery comes out google will make it available but it will have a different url and the old version will remain available. http://code.google.com/apis/ajaxlibs/documentation/

There is no urgency about upgrading unless something isn't working or you are having trouble with something related to the script and sometimes upgrading can break things. For example there exist newer version of YUI but in mojoPortal we still use version 2.6.0 because I found that newer versions break the FCKeditor in some cases like if there is more than one on a page or the editor is inside a tab in IE the editor did not work (was fine in other browsers).

So I would host the files locally in your situation. If you see me mention that I updated mojoPortal to a newer version of those things in the release notes blog post you can consider whether you want to update your local copies.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.