Important Security Update

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
9/17/2010 1:05:28 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Important Security Update

Hi All,

Please see this blog post, there is a new release of mojoPortal available with some important security updates as well as a number of other bug fixes.

http://www.mojoportal.com/mojoportal-2352-released.aspx

Best,

Joe

9/19/2010 10:17:36 PM
Pat James
Gravatar
Total Posts 4
View Posts

Re: Important Security Update

Hi Joe, with respect to the issue #3 in the release notes (the big vulnerability everyone is concerned about right now), I upgraded my site and implemented the customerrors workaround as recommended by Microsoft (with the error.aspx page from ScottGu's blog featuring varying delays), but I am not seeing the new error.aspx page served for 404's.  Any idea why this would be?

This is on a shared hosting server so I only have access via the WebSitePanel control panel.

I get 404's served like the following:

 

Server Error in Application "MYSITE.COM"
Internet Information Services 7.5
Error Summary
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
Detailed Error Information
Module IIS Web Core
Notification MapRequestHandler
Handler StaticFile
Error Code 0x80070002
Requested URL http://mysite.com:80/notapage
Physical Path C:\HostingSpaces\myaccount\mysite.com\wwwroot\notapage
Logon Method Anonymous
Logon User Anonymous

9/20/2010 6:29:26 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Important Security Update

You could comment out the <add name="PageNotFoundHandler" in the 2 places it exists in Web.config and that will make 404 errors use the error page too.

However, I don't "think" that is really needed if all the other steps have been taken. I leave it up to you since it will impact user experience.

I think the extra step I took to make sure we don't return a 500 status for cryptography errors but a 404 instead combined with the random timing of the ErrorPage.aspx should protect us pretty well.

I'm actually packaging another release this morning to include the Microsoft workaround by default, and over the weekend I also implemented a new admin page "Security Advisor" to help identify a few common configuration issues that affect security and provide links to documentation about how to solve them. I'm trying to get the package ready to re-submit to the web app gallery asap.

Best,

Joe

9/20/2010 9:49:36 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Important Security Update

I've made a follow up release that has the Microsoft workaround pre-configured and also introduces a new security feature to help you detect common configuration issues that affect security.

http://www.mojoportal.com/mojoportal-2353-released.aspx

Best,

Joe

9/20/2010 4:13:07 PM
Igor145
Gravatar
Total Posts 70
View Posts

Re: Important Security Update

Hi All,

there is interesting artefact caused by using  <location allowOverride="false"> in web.config :

I have several sites in production remote hostings and alse the test/backups of them at my XP Prof SP3 .Net3.5 localhost.

One of the local sites ( located at the localsite root ) been upgraded to v. 2.3.5.3 without problems and been uploaded to production site. OK.

But after that all local sites located at the virtual directories are fired up the exception regarding the allowOverride="false". I've spent some time in attempts to found the reason and finally been faced up into the solution: allowOverride="true" at web.config in local site been located at the site root folder will solve the problem.

Just wish let you know about such problem might occurs.

Of course, I will keep the allowOverride="false" at remote production environment but it needs to be triggered into "true" at the root web.config of  local test webserver.

Anyway, thanks to all for your great work,

best regards,

Igor

9/21/2010 7:06:58 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Important Security Update

Yes, the location element with allowOverride=false can cause errors if you have other .NET apps running in virtual directories below it.

I "think" you can safely remove the location element or use allowOverride= true in the mojoPortal web.config as long as you have implemented the same workarounds for the customError page in those other apps.

Best,

Joe

9/25/2010 8:26:46 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Important Security Update

Scott Guthrie of Microsoft just posted about an additional protection that can and should be applied at the server level to protect against the ASP.NET Vulnerability. If you have control of your own server you should take the additional step of installing UrlScan and configuring a rule as indicated in the article.

http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx

Best,

Joe

9/29/2010 12:51:06 PM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Important Security Update

For anyone who has control of their own servers and is interested in patching this as soon as possible, Microsoft has taken the unusual step of creating an out-of-band patch for this flaw. They are delivering it via Microsoft Download Center right now, so it has to be installed manually (it will be put on Windows Update at a later date).

Computerworld Article

Microsoft Security Bulletin link

Jamie

9/29/2010 12:57:31 PM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Important Security Update

The Computerworld article also indicated that once the patch is in place, the previously recommended workarounds can be safely removed.

9/29/2010 1:18:56 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Important Security Update

It will also be available in windows update within the next few days for those who would rather apply the fix via normal windows updates.

If you do choose to install the patch manually instead of using Windows Update, keep in mind that you must install a different patch for each version of .NET framework that is installed on the machine.

And yes, the good news is that after applying the update the workaround is no longer needed.

For more info see also Scott Guthrie's post http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx

Best,

Joe

10/4/2010 1:17:22 PM
George Birbilis
Gravatar
Total Posts 116
View Posts
http://www.zoomicon.com http://birbilis.spaces.live.com http://www.delicious.com/birbilis http://twitter.com/Zoomicon

Re: Important Security Update

from what I read the update is using HMAC signing and validation for the encrypted packets to protect against such tampering attempts

You must sign in to post in the forums. This thread is closed to new posts.