Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Mike 62 posts 274 karma points
    Sep 21, 2010 @ 20:42
    Mike
    0

    ASP.NET Security Vulnerability Patch on 4.0.3

    I have a bunch of 4.0.3 sites to patch and I've started on two by applying the patch from the Umbraco package Repository.

    After running the package I'm told that:

    404 error pages leading to different page
    Your website should only contain a single type of error page for all server errors (including 404)

    Unable to update web.config
    Your security settings prohibits us from patching this issue automatically

    I have updated the web.config and the 404handlers.config manually (as per the guide.pdf / developers.pdf) plus checked that the /bin/umbraco.PoetPatcher.dll and /umbraco/plugins/poetpatcher/ directory have been added by the package when that was run - which they have.

    When I re-run the security package, however, the two items above remain. In addition if I browse to MYDOMAIN.COM/umbraco/plugins/poetpatcher/CustomError.aspx then I see the correct error, however, if I browse to MYDOMAIN.COM/nosuchpage.aspx then I still see my custom error page created in Umbraco and specified in my config/umbracoSettings.config

    Is there something else I should be checking/updating in addition to the above to get a clean bill of heath for my sites?

    It is worth noting that these sites all run on shared hosting.

    Many thanks

  • Lee Kelleher 4026 posts 15836 karma points MVP 13x admin c-trib
    Sep 21, 2010 @ 21:05
    Lee Kelleher
    0

    Hi Mike,

    In which order did you update the config files? As the 404handlers.config requires an app-restart for the changes to take effect.

    I'm thinking that you'll need to touch the Web.config again, which will restart your web-app.

    Hopefully it's that straight-forward.  Let us know how it goes.

    Cheers, Lee.

  • Mike 62 posts 274 karma points
    Sep 22, 2010 @ 02:31
    Mike
    0

    Hey Lee,

    Very much appreciate the reply.

    I tried touching the web.config again and reuploading it since changing the 404handlers.config but it hasn't changed the end result - I'm still seeing the two unresolved issues and my custom 404 is appearing as default rather than the same error for everything.

    The order I've applied the patch is to first install and run the patch within the Umbraco Package Repository, then when that fails check that the patch has installed the necessary files (bin/PoetPatcher.dll and /umbraco/plugins/poetpatcher/) then update the web.config and finally update the /config/404handlers.config

    As I say, I've since touched the web.config and uploaded that again then run the patch again from the Umbraco Package Repository but nothing changes.

    I've tried this on three separate 4.0.3 sites and all three are the same so it is a consistent issue whatever the cause.

    Any more suggestions would be greatly appreciated.

    Thanks, Mike

  • Lee Kelleher 4026 posts 15836 karma points MVP 13x admin c-trib
    Sep 22, 2010 @ 10:42
    Lee Kelleher
    0

    Hi Mike,

    I think it's a glitch in the patch/package ... because it can not update the Web.config (due to security/permissions), then it throws the error - making it appear that you aren't patched - but it sounds to me like you are.

    As for the 404handler ... check the contents of the file.  Do you have any custom NotFoundHandlers in there? If so, remove them (for now).

    Best of luck.

    Cheers, Lee.

  • Ismail Mayat 4511 posts 10092 karma points MVP 2x admin c-trib
    Sep 22, 2010 @ 11:17
    Ismail Mayat
    0

    Mike,

    I just did this with 4.0.2.1 on two servers win2k3 with asp.net 35sp1 on the first dev server all worked no problems on the second after installing the package it gave missing poetpatch.ascx so i copied the files over into /umbraco/plugins/poetpatch manually then applied the fix all worked nicely.

    Regards

    Ismail

  • Mike 62 posts 274 karma points
    Sep 22, 2010 @ 11:17
    Mike
    0

    Many thanks Lee, much appreciated.

    Checking the 404's again this morning, these are now showing the default (vanilla) Umbraco 404 page when I look for /nosuchpage.aspx so it is ignoring the node ID set in my /config/umbracoSettings.config file - which I guess is the whole point. It is odd though that is still isn't using CustomError.aspx.

    All the best, Mike

  • Lee Kelleher 4026 posts 15836 karma points MVP 13x admin c-trib
    Sep 22, 2010 @ 11:22
    Lee Kelleher
    0

    Mike, it does need to be displaying the CustomError.aspx page for 404 errors, not the default Umbraco one.

    Any of the HQ devs want to pitch in here?

    Cheers, Lee.

  • Mike 62 posts 274 karma points
    Sep 22, 2010 @ 11:31
    Mike
    0

    Hi there Ismail, many thanks for the post. When you say "poetpatch.ascx" do you mean "patch.ascx" which accompanies CustomError.aspx and Guide.pdf?

    Many thanks, Mike

  • Mike 62 posts 274 karma points
    Sep 22, 2010 @ 12:02
    Mike
    1

    Have just rechecked the web.config permissions on two of the sites and they were incorrect despite being correctly set previously. Reset these permissions and ran the package again successfully and everything is fine and dandy and 404's are redirecting as they should!

    Somewhat perplexed by the permissions reset but pleased I have a resolution now. Just need to keep an eye on that!

    Thanks Lee and Ismail for your help and support.

    All the best, Mike

     

Please Sign in or register to post replies

Write your reply to:

Draft