I am in the process of trying to upgrade my Umbraco version from 4.7 to 4.11.10 and getting errors that are logged on another post. The reason for the update is that we failed an audit, details below. Please let me know if anyone knows of a workaround for this error, other than upgrading version. IF a particular version before 4.11.10 will resolve it then please let me know that as well. MUCH appreciated.....
Vulnerability report:
"this host is running a vulnerable instance of the Umbraco CMS that is vulnerable to a remote command execution flaw. Specifically, the SaveDLRScript SOAP operation contained within the codeEditorSave.asmx fails to sanitize user supplied data and allows remote unauthenticated attackers to upload arbitrary files to known web-accessible path. An attacker can upload a standard ASP.NET web shell which will provide command and control of this host within the context of the web server's permissions. The attacker should be able to leverage this access to fully compromise this host and all of it's data."
So are you talking about just patching my files from 4.7 to 4.7.2? If so, would it fix the vulnerability I mentioned?
If so, and when manually updating like this, what other steps do I need to make? Am I changing the web.config version or leaving it alone? Any other updates to be made or db changes? Trying to confirm which version would possibly fix my mentioned vulnerability and to do this as simply as possible.
Yes that will fix the issue in the quickest manner.
However before you go about upgrading/patching your solution I recommend that you read these guidelins http://our.umbraco.org/documentation/Installation/Upgrading/ and before starting you should of course do a backup of the database and the files.
Thanks Jan....I also see for a lot of versions that there is a security patch zip file which contains (the one for 4.9.1, anyway) an umbraco.dll and an umbraco.pdb file. I assume these both would be dropped into the /bin folder, even thoug I don't see the umbraco.pdb in this version initially. Do these security patch files possibly address the security vulnerabilty I referenced? I can't seem to find a thing on what security issues are patched with the upgrades or patches, or which version addresses my vulnerability I noted in this post.
Well, there lies the rub....I tried initially to upgrade from 4.7 to 4.11.10 and had nothing but issues. (Seen at forum post http://our.umbraco.org/forum/getting-started/installing-umbraco/44603-Upgrading-Issues). ; The only real reason to upgrade was to rid myself of the security audit failure that I started this post with (and relisted below). Even after checking your last suggestion and link, I still cannot verify that these security patches address the security flaw I listed. I would love to be able to just install a security patch or upgrade to 4.7.2 (or any version higher that actually works without issues) and be assured that it alleviates my issue. Surely someone at Umbraco would be able to confirm which patch or version upgrade (or both) would do this without out me guessing.
Vulnerability report:
"this host is running a vulnerable instance of the Umbraco CMS that is vulnerable to a remote command execution flaw. Specifically, the SaveDLRScript SOAP operation contained within the codeEditorSave.asmx fails to sanitize user supplied data and allows remote unauthenticated attackers to upload arbitrary files to known web-accessible path. An attacker can upload a standard ASP.NET web shell which will provide command and control of this host within the context of the web server's permissions. The attacker should be able to leverage this access to fully compromise this host and all of it's data."
I am getting conflicting advice then as Jan said 4.9.1 had some issues. I'm lost. I think I will just rollback from the 4.9.1 version to 4.7 and then do the upgrade to 4.7.2.....and hope it fixes my security vulnerabilty. If anyone has better advice or reasons to go with another version then plese let me know soon. Thanks,.
The issue is you need the database mods that are applied between 4.7 and 4.9. I think Jan just meant don't "use" 4.9, install it to get the db mods but then install right over the top of it to the latest version of the code and you should be good to go. Just been through the same with a 4.8>6.1.5 upgrade so know your pain ;)
Let me add that version 4.9.1 upgrade doesn't really work for us as a lot of our site pages have 500 errors (for some reason the upgrade to 4.9.1 has introduced a ~ in many of the paths) and publishing pages has many issues too. Management has dictated moving to the most current 4 version we can and not rolling back, if possible and wants to know if upgrading to the next version (4.10) would fix the current 4.9.1 problems we had OR should we address all the issues we see in 4.9.1 before attempting any further upgrades?
Either way, upgrades should not be this painful....
I've been do an similar upgrade today and getting some issues of my own so I hear you on the painful upgrade grumbles. Thats why I'm pushing you to get past 4.9 as quick as possible and then it does get easier as they changed the way they did database upgrades and HQ focused on quality over features at last soon after that.
Damn....did you kill a priest in a previous life? There is NO way an upgrade should be this painful. Although I appreciate your detailed explanation, it only scares me more doing an upgrade and expecting it to be succesful. I am a systems administrator, not a DBA or developer. Sounds like you need to be all 3 to succesfully upgrade Umbraco. I am just trying to fix a security flaw and wasn't expecting to be on this for a week plus. That is a whole lot of toilet handle jiggling right there....
Going to try and upgrade passed it as you mentioned....I'll let you know. Say a prayer...sounds like I'll need it.
I've run at least a dozen sites through an upgrade directly from 4.7.2 to 4.9.1 without any major problems. (Other than the sheer amount of time this takes, what with the manual painstaking process that this is, but afterwards the sites ran just fine.) I've also run almost as many 4.7.2 sites directly up to at least 4.11.8+ without any intermediary upgrades, and that too has worked pretty well. So it's weird to hear someone say to avoid 4.9. My experience with 4.9.1 other than a few minor glitches we worked past (mainly, the "disappearing media items" comes to mind) has been fine, with my own thoughts being to avoid 4.8 and 4.10? Good luck to you, with whatever you end up going with!
Interesting...thanks for your feedback. Have you ever upgraded directly from 4.7.0 to 4.91 (or 4.11.10)? Or is the upgrade from 4.7 to 4.7.2 a very necessary step in the success of the upgrade?
I don't think I ever upgraded an old 4.7.0 site to anything other than 4.7.2, but even those were pretty straightforward so I don't think there should be any harm in what you propose. Just remember (I also posted in your other thread about this) to make sure you clean up some of the old stuff left over in the 4.7 line that causes problems if left around in 4.8+. AND, as always, the merging of config files is probably the biggest hassle, so make sure you double-check you've done this correctly... including new config files that have been added. If you continue to struggle with this, try moving just to 4.7.2 and apply the hotfix to close your security vulnerability. You can then worry about upgrading beyond this at some other future time!
Thanks for all the help. After rolling back to 4.7.0 I decided to move to 4.7.2 (with security patch) and this one went pretty smoothly. My steps are below and are for a distributed install with SiteMinder. If I decide to move to another version I will indude those steps. Hope this helps someone in the future....
2)Download the 4.7.2 zip and then the subsequent 4.7.2 security patch (2 files) and unzip them into a temp directory.
3)Stop the Umbraco site on both web servers (in QA – qaumbraco1serv/qaumbraco2serv/ in PROD – fcumbraco1serv/fcumbraco2serv)
4)Copy the /bin, /Umbraco, /Umbraco_client folders from the new release OVER the top of the current folders.
5)Delete any of the referenced files from the release notes.In this 4.7.2 release those files would be:
·/bin/Microsoft.Scripting.dll
·/bin/Iron*.dll
·/bin/RazorEngine*.dll
6)Copy all new configs from the upgrade version to \config (leaving all the originals)
7)Update the \config\umbracoSettings.config file to include the distributed servers and email section(if in there) that was in the previous umbracoSettings.config file. (We had no other config files customized)
8)Using WinMerge – merge the current needed settings from the current web.config to the new one.This usually entails the following areas:
·Connection String(umbracoDbDSN)
·SMTP mail host info
·umbracoHideTopLevelFromPath (from True to False)
·SiteMinder pieces ( modules section)
·Handlers Section – SiteMinder pieces
·All ISAPI filter section
9)Turn the Umbraco IIS sites back on.
10)From IIS on one of the web servers – Browse the Umbraco\umbraco\umbraco.aspx file to verify admin console login.
11)Hit the web site to complete the upgrade process.This process finishes upgrade by updating DB and the version number in the web.config.
12)Site should be reviewed and tested now.
13)If good, backup the DB and file structure to the same location above in step #1.
Upgrade or Fix Current
I am in the process of trying to upgrade my Umbraco version from 4.7 to 4.11.10 and getting errors that are logged on another post. The reason for the update is that we failed an audit, details below. Please let me know if anyone knows of a workaround for this error, other than upgrading version. IF a particular version before 4.11.10 will resolve it then please let me know that as well. MUCH appreciated.....
Vulnerability report:
"this host is running a vulnerable instance of the Umbraco CMS that is vulnerable to a remote command execution flaw. Specifically, the SaveDLRScript SOAP operation contained within the codeEditorSave.asmx fails to sanitize user supplied data and allows remote unauthenticated attackers to upload arbitrary files to known web-accessible path. An attacker can upload a standard ASP.NET web shell which will provide command and control of this host within the context of the web server's permissions. The attacker should be able to leverage this access to fully compromise this host and all of it's data."
Thanks for any suggestions...
Hi Deron
You perhaps you can simply patch your current installation using the patched files from http://code.leekelleher.com/umbraco/archive/ for v4.7?
Unfortunately there were some vulnerabilities in Umbraco that got patched pretty quickly after they were discovered.
Hope this is what you're looking for.
Cheers, Jan
So are you talking about just patching my files from 4.7 to 4.7.2? If so, would it fix the vulnerability I mentioned?
If so, and when manually updating like this, what other steps do I need to make? Am I changing the web.config version or leaving it alone? Any other updates to be made or db changes? Trying to confirm which version would possibly fix my mentioned vulnerability and to do this as simply as possible.
Thanks
Hi Deron
Yes that will fix the issue in the quickest manner.
However before you go about upgrading/patching your solution I recommend that you read these guidelins http://our.umbraco.org/documentation/Installation/Upgrading/ and before starting you should of course do a backup of the database and the files.
Hope this helps.
/Jan
Thanks Jan....I also see for a lot of versions that there is a security patch zip file which contains (the one for 4.9.1, anyway) an umbraco.dll and an umbraco.pdb file. I assume these both would be dropped into the /bin folder, even thoug I don't see the umbraco.pdb in this version initially. Do these security patch files possibly address the security vulnerabilty I referenced? I can't seem to find a thing on what security issues are patched with the upgrades or patches, or which version addresses my vulnerability I noted in this post.
Thanks
Hi Deron
There was a blog post about the issues found here http://umbraco.com/follow-us/blog-archive/2013/5/1/security-update-two-major-vulnerabilities-found.aspx
I'll recommend that you go for 4.7.2 and forget about 4.9.1 - it has some really weird bugs that you don't want to experience, trust me on this one :)
If you want to upgrade then go for at least 4.11.10.
Hope this helps.
Jan
Well, there lies the rub....I tried initially to upgrade from 4.7 to 4.11.10 and had nothing but issues. (Seen at forum post http://our.umbraco.org/forum/getting-started/installing-umbraco/44603-Upgrading-Issues). ; The only real reason to upgrade was to rid myself of the security audit failure that I started this post with (and relisted below). Even after checking your last suggestion and link, I still cannot verify that these security patches address the security flaw I listed. I would love to be able to just install a security patch or upgrade to 4.7.2 (or any version higher that actually works without issues) and be assured that it alleviates my issue. Surely someone at Umbraco would be able to confirm which patch or version upgrade (or both) would do this without out me guessing.
Vulnerability report:
"this host is running a vulnerable instance of the Umbraco CMS that is vulnerable to a remote command execution flaw. Specifically, the SaveDLRScript SOAP operation contained within the codeEditorSave.asmx fails to sanitize user supplied data and allows remote unauthenticated attackers to upload arbitrary files to known web-accessible path. An attacker can upload a standard ASP.NET web shell which will provide command and control of this host within the context of the web server's permissions. The attacker should be able to leverage this access to fully compromise this host and all of it's data."
I'd go to 4.8 then 4.9 and after that you are free to jump straight up to the latest build (as the database migrations are done much better in 4.9+).
I am getting conflicting advice then as Jan said 4.9.1 had some issues. I'm lost. I think I will just rollback from the 4.9.1 version to 4.7 and then do the upgrade to 4.7.2.....and hope it fixes my security vulnerabilty. If anyone has better advice or reasons to go with another version then plese let me know soon. Thanks,.
The issue is you need the database mods that are applied between 4.7 and 4.9. I think Jan just meant don't "use" 4.9, install it to get the db mods but then install right over the top of it to the latest version of the code and you should be good to go. Just been through the same with a 4.8>6.1.5 upgrade so know your pain ;)
Let me add that version 4.9.1 upgrade doesn't really work for us as a lot of our site pages have 500 errors (for some reason the upgrade to 4.9.1 has introduced a ~ in many of the paths) and publishing pages has many issues too. Management has dictated moving to the most current 4 version we can and not rolling back, if possible and wants to know if upgrading to the next version (4.10) would fix the current 4.9.1 problems we had OR should we address all the issues we see in 4.9.1 before attempting any further upgrades?
Either way, upgrades should not be this painful....
I've been do an similar upgrade today and getting some issues of my own so I hear you on the painful upgrade grumbles. Thats why I'm pushing you to get past 4.9 as quick as possible and then it does get easier as they changed the way they did database upgrades and HQ focused on quality over features at last soon after that.
You can read about my issues on this thread http://our.umbraco.org/forum/getting-started/installing-umbraco/44925-Upgrading-from-48-615,-cant-get-past-the-licence-screen I'd not worry about 4.9 being "broken" as the code is going to get thrown away at the next upgrade which you should start straight away.
Hope that helps.
Damn....did you kill a priest in a previous life? There is NO way an upgrade should be this painful. Although I appreciate your detailed explanation, it only scares me more doing an upgrade and expecting it to be succesful. I am a systems administrator, not a DBA or developer. Sounds like you need to be all 3 to succesfully upgrade Umbraco. I am just trying to fix a security flaw and wasn't expecting to be on this for a week plus. That is a whole lot of toilet handle jiggling right there....
Going to try and upgrade passed it as you mentioned....I'll let you know. Say a prayer...sounds like I'll need it.
..
Thanks Peter....I am going to attempt that approach. If it doesn't work then a sack of kittens may be sacrificed.....keep your fingers crossed.
I've run at least a dozen sites through an upgrade directly from 4.7.2 to 4.9.1 without any major problems. (Other than the sheer amount of time this takes, what with the manual painstaking process that this is, but afterwards the sites ran just fine.) I've also run almost as many 4.7.2 sites directly up to at least 4.11.8+ without any intermediary upgrades, and that too has worked pretty well. So it's weird to hear someone say to avoid 4.9. My experience with 4.9.1 other than a few minor glitches we worked past (mainly, the "disappearing media items" comes to mind) has been fine, with my own thoughts being to avoid 4.8 and 4.10? Good luck to you, with whatever you end up going with!
Interesting...thanks for your feedback. Have you ever upgraded directly from 4.7.0 to 4.91 (or 4.11.10)? Or is the upgrade from 4.7 to 4.7.2 a very necessary step in the success of the upgrade?
Thanks again!
Hi there,
I don't think I ever upgraded an old 4.7.0 site to anything other than 4.7.2, but even those were pretty straightforward so I don't think there should be any harm in what you propose. Just remember (I also posted in your other thread about this) to make sure you clean up some of the old stuff left over in the 4.7 line that causes problems if left around in 4.8+. AND, as always, the merging of config files is probably the biggest hassle, so make sure you double-check you've done this correctly... including new config files that have been added. If you continue to struggle with this, try moving just to 4.7.2 and apply the hotfix to close your security vulnerability. You can then worry about upgrading beyond this at some other future time!
Thanks for all the help. After rolling back to 4.7.0 I decided to move to 4.7.2 (with security patch) and this one went pretty smoothly. My steps are below and are for a distributed install with SiteMinder. If I decide to move to another version I will indude those steps. Hope this helps someone in the future....
Steps to Update Umbraco 4.7.0 – 4.7.2
1) Backup the Umbraco folder (in QA - \\qaxxxserver\c$\umbraco to f:\ in a folder that is descriptive. For PROD- \\prodxxxserver\n$\umbraco) Have (DBA) back up the database on the environment you are updating at the same time.
2) Download the 4.7.2 zip and then the subsequent 4.7.2 security patch (2 files) and unzip them into a temp directory.
3) Stop the Umbraco site on both web servers (in QA – qaumbraco1serv/qaumbraco2serv / in PROD – fcumbraco1serv/fcumbraco2serv)
4) Copy the /bin, /Umbraco, /Umbraco_client folders from the new release OVER the top of the current folders.
5) Delete any of the referenced files from the release notes. In this 4.7.2 release those files would be:
· /bin/Microsoft.Scripting.dll
· /bin/Iron*.dll
· /bin/RazorEngine*.dll
6) Copy all new configs from the upgrade version to \config (leaving all the originals)
7) Update the \config\umbracoSettings.config file to include the distributed servers and email section(if in there) that was in the previous umbracoSettings.config file. (We had no other config files customized)
8) Using WinMerge – merge the current needed settings from the current web.config to the new one. This usually entails the following areas:
· Connection String (umbracoDbDSN)
· SMTP mail host info
· umbracoHideTopLevelFromPath (from True to False)
· SiteMinder pieces ( modules section)
· Handlers Section – SiteMinder pieces
· All ISAPI filter section
9) Turn the Umbraco IIS sites back on.
10) From IIS on one of the web servers – Browse the Umbraco\umbraco\umbraco.aspx file to verify admin console login.
11) Hit the web site to complete the upgrade process. This process finishes upgrade by updating DB and the version number in the web.config.
12) Site should be reviewed and tested now.
13) If good, backup the DB and file structure to the same location above in step #1.
is working on a reply...