mojoPortal 2.2.9.6 Released

mojoPortal 2.2.9.6 is available now on our download page.

The primary reason for this release is to fix a security issue reported yesterday in our forums. This is only the second security vulnerability ever confirmed in mojoPortal in the entire history of the project since 2004. When a security vulnerability is confirmed we feel it is very important to release a fix within 24 hours and to disclose it with full transparency.

Description

The issue is a cross site scripting vulnerability. The cause of the problem was failure to sanitize a query string parameter that is used for previewing skins. We use a printer friendly skin to produce our printer friendly view using a simple parameter in the url like this skin=printerfriendly. It can also be used to preview any existing skin. Since the skin name is output into the page as part of the url for the css handler it needs to be sanitized to prevent manipulation. The new release sanitizes the input to remove any possibility for javascript being inserted into the page.

The vulnerability was reported by Aaron King who discovered it using the free version of Acunetix Web Vulnerability Scanner. The scanner identified an url that could be constructed that would inject javascript into the page and cause an alert message to be displayed in the page. While the demo exploit causes no harm, in theory other exploits are possible including the possibility of altering the content of the page or stealing a session cookie which could make it possible to take control of a user account. Note that actual malicious exploits have not been proven, but the ability to inject a javascript alert means more malicious exploits may be possible.

Mitigating Factors

In order to exploit this vulnerability the attacker would have to somehow trick a user who is already logged into the mojoPortal site to click a malicious link. The link itself must contain the exploit code and this would be obvious to more experienced users unless the url of the link was masked in some way. So a targeted social engineering attack would have to be used to exploit this. A hacker could email a site user with a link to the site or create a link on a web page on some other web site and convince the user to click it.

What Versions are Vulnerable?

I’m pretty sure this vulnerability was introduced in version 2.2.7.7 when we implemented the CssHandler to combine and minify css. Older versions are probably not vulnerable. To determine if your installation is vulnerable, just visit http://yourdomain/Default.aspx?skin=1%00'"><ScRiPt%20%0a%0d>alert(403326057258)%3B</ScRiPt> If it causes an alert message then the vulnerability does exist.

Upgrade is Highly Recommended

Ugrading to mojoPortal 2.2.9.6 will eliminate this vulnerability. All users are recommended to upgrade as soon as you can. If you are upgrading from version 2.2.9.5, you can skip uploading the ClientScript folder, it will save you some time since its a large folder and nothing in that folder has changed.

Anything Else New This Release?

There was a bug fix in WebStore for MS SQL. Previously when updating the quantity of an item in the cart, the stored procedure was declared incorrectly as having 10 parameters instead of 8 which it actually had.

There is a new Site Setting for Company Name, which is used to automatically populate the CopyrightLabel in the skin.

Our release packages now support easy installation in IIS using the Microsoft Web Deployment Tool aka MsDeploy. See this article for easy step by step installation instructions. Its only for new installations not upgrades. This is actually a pretty exciting development, though I post it here as if it were a footnote. Supporting MsDeploy now should make it possible to get mojoPortal listed in the Microsoft Web Application Gallery, I have submitted a form and am waiting to hear back from them.

Gravatar Joe Audette is the founder of the mojoPortal project and was the primary developer until February 2017.

Comments

Tom

re: mojoPortal 2.2.9.6 Released

Tuesday, March 24, 2009 9:00:59 PM

Joe, I upgraded to this recent release and now two out of my three sites do not work right. What is basically wrong is that the custom skins are not working right. What information do you need so you can tell me what to fix?

re: mojoPortal 2.2.9.6 Released

Wednesday, March 25, 2009 5:37:21 AM

Please post support requests in the forums not the blog.

If you are upgrading from a very old version you need to see this document.

http://www.mojoportal.com/important-skin-changes.aspx

Hope it helps,

Joe

 

re: mojoPortal 2.2.9.6 Released

Thursday, March 26, 2009 6:24:39 PM

I have created the DotNetPanel Application Pack for this release. It can be downloaded from http://i7media.net/downloads.aspx

re: mojoPortal 2.2.9.6 Released

Friday, March 27, 2009 1:24:58 PM

Hi joe,

I'd just plan to install a first production instance this week end. This release comes just in time for me.

Thank you for your rapid fix.

Thomas.

Sandro Magi

re: mojoPortal 2.2.9.6 Released

Tuesday, April 07, 2009 10:01:03 PM

I couldn't find a readily available contact link or comment box on the page, so I'll just write here: a comment under Business Layer on your Architecture page is incorrect. You say, "Static methods are guaranteed to be threadsafe by the runtime [...]".

The runtime provides no such guarantee. Thread safety is entirely dependent on whether any mutable state is shared between threads, and it does not matter whether this state is read or written in static methods or otherwise.

tatil cenneti

Monday, May 25, 2009 11:55:53 AM

thank you good site

 

I'd just plan to install a first production instance this week end. This release comes just in time for me.

Comments are closed on this post.