I have a bunch of 4.0.3 sites to patch and I've started on two by applying the patch from the Umbraco package Repository.
After running the package I'm told that:
404 error pages leading to different page Your website should only contain a single type of error page for all server errors (including 404)
Unable to update web.config Your security settings prohibits us from patching this issue automatically
I have updated the web.config and the 404handlers.config manually (as per the guide.pdf / developers.pdf) plus checked that the /bin/umbraco.PoetPatcher.dll and /umbraco/plugins/poetpatcher/ directory have been added by the package when that was run - which they have.
When I re-run the security package, however, the two items above remain. In addition if I browse to MYDOMAIN.COM/umbraco/plugins/poetpatcher/CustomError.aspx then I see the correct error, however, if I browse to MYDOMAIN.COM/nosuchpage.aspx then I still see my custom error page created in Umbraco and specified in my config/umbracoSettings.config
Is there something else I should be checking/updating in addition to the above to get a clean bill of heath for my sites?
It is worth noting that these sites all run on shared hosting.
I tried touching the web.config again and reuploading it since changing the 404handlers.config but it hasn't changed the end result - I'm still seeing the two unresolved issues and my custom 404 is appearing as default rather than the same error for everything.
The order I've applied the patch is to first install and run the patch within the Umbraco Package Repository, then when that fails check that the patch has installed the necessary files (bin/PoetPatcher.dll and /umbraco/plugins/poetpatcher/) then update the web.config and finally update the /config/404handlers.config
As I say, I've since touched the web.config and uploaded that again then run the patch again from the Umbraco Package Repository but nothing changes.
I've tried this on three separate 4.0.3 sites and all three are the same so it is a consistent issue whatever the cause.
Any more suggestions would be greatly appreciated.
I think it's a glitch in the patch/package ... because it can not update the Web.config (due to security/permissions), then it throws the error - making it appear that you aren't patched - but it sounds to me like you are.
As for the 404handler ... check the contents of the file. Do you have any custom NotFoundHandlers in there? If so, remove them (for now).
I just did this with 4.0.2.1 on two servers win2k3 with asp.net 35sp1 on the first dev server all worked no problems on the second after installing the package it gave missing poetpatch.ascx so i copied the files over into /umbraco/plugins/poetpatch manually then applied the fix all worked nicely.
Checking the 404's again this morning, these are now showing the default (vanilla) Umbraco 404 page when I look for /nosuchpage.aspx so it is ignoring the node ID set in my /config/umbracoSettings.config file - which I guess is the whole point. It is odd though that is still isn't using CustomError.aspx.
Have just rechecked the web.config permissions on two of the sites and they were incorrect despite being correctly set previously. Reset these permissions and ran the package again successfully and everything is fine and dandy and 404's are redirecting as they should!
Somewhat perplexed by the permissions reset but pleased I have a resolution now. Just need to keep an eye on that!
ASP.NET Security Vulnerability Patch on 4.0.3
I have a bunch of 4.0.3 sites to patch and I've started on two by applying the patch from the Umbraco package Repository.
After running the package I'm told that:
404 error pages leading to different page
Your website should only contain a single type of error page for all server errors (including 404)
Unable to update web.config
Your security settings prohibits us from patching this issue automatically
I have updated the web.config and the 404handlers.config manually (as per the guide.pdf / developers.pdf) plus checked that the /bin/umbraco.PoetPatcher.dll and /umbraco/plugins/poetpatcher/ directory have been added by the package when that was run - which they have.
When I re-run the security package, however, the two items above remain. In addition if I browse to MYDOMAIN.COM/umbraco/plugins/poetpatcher/CustomError.aspx then I see the correct error, however, if I browse to MYDOMAIN.COM/nosuchpage.aspx then I still see my custom error page created in Umbraco and specified in my config/umbracoSettings.config
Is there something else I should be checking/updating in addition to the above to get a clean bill of heath for my sites?
It is worth noting that these sites all run on shared hosting.
Many thanks
Hi Mike,
In which order did you update the config files? As the 404handlers.config requires an app-restart for the changes to take effect.
I'm thinking that you'll need to touch the Web.config again, which will restart your web-app.
Hopefully it's that straight-forward. Let us know how it goes.
Cheers, Lee.
Hey Lee,
Very much appreciate the reply.
I tried touching the web.config again and reuploading it since changing the 404handlers.config but it hasn't changed the end result - I'm still seeing the two unresolved issues and my custom 404 is appearing as default rather than the same error for everything.
The order I've applied the patch is to first install and run the patch within the Umbraco Package Repository, then when that fails check that the patch has installed the necessary files (bin/PoetPatcher.dll and /umbraco/plugins/poetpatcher/) then update the web.config and finally update the /config/404handlers.config
As I say, I've since touched the web.config and uploaded that again then run the patch again from the Umbraco Package Repository but nothing changes.
I've tried this on three separate 4.0.3 sites and all three are the same so it is a consistent issue whatever the cause.
Any more suggestions would be greatly appreciated.
Thanks, Mike
Hi Mike,
I think it's a glitch in the patch/package ... because it can not update the Web.config (due to security/permissions), then it throws the error - making it appear that you aren't patched - but it sounds to me like you are.
As for the 404handler ... check the contents of the file. Do you have any custom NotFoundHandlers in there? If so, remove them (for now).
Best of luck.
Cheers, Lee.
Mike,
I just did this with 4.0.2.1 on two servers win2k3 with asp.net 35sp1 on the first dev server all worked no problems on the second after installing the package it gave missing poetpatch.ascx so i copied the files over into /umbraco/plugins/poetpatch manually then applied the fix all worked nicely.
Regards
Ismail
Many thanks Lee, much appreciated.
Checking the 404's again this morning, these are now showing the default (vanilla) Umbraco 404 page when I look for /nosuchpage.aspx so it is ignoring the node ID set in my /config/umbracoSettings.config file - which I guess is the whole point. It is odd though that is still isn't using CustomError.aspx.
All the best, Mike
Mike, it does need to be displaying the CustomError.aspx page for 404 errors, not the default Umbraco one.
Any of the HQ devs want to pitch in here?
Cheers, Lee.
Hi there Ismail, many thanks for the post. When you say "poetpatch.ascx" do you mean "patch.ascx" which accompanies CustomError.aspx and Guide.pdf?
Many thanks, Mike
Have just rechecked the web.config permissions on two of the sites and they were incorrect despite being correctly set previously. Reset these permissions and ran the package again successfully and everything is fine and dandy and 404's are redirecting as they should!
Somewhat perplexed by the permissions reset but pleased I have a resolution now. Just need to keep an eye on that!
Thanks Lee and Ismail for your help and support.
All the best, Mike
is working on a reply...