Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 16, 2020 @ 09:39
    Sebastiaan Janssen
    0

    Security update for March 2020 [now available]

    A security update for Umbraco 4.11.9+ (all versions after that) is now available, read all about it in the blog post: https://umbraco.com/blog/security-advisory-17th-of-march-patch-for-your-site-is-now-available/

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 17, 2020 @ 07:05
    Sebastiaan Janssen
    0

    If you have additional questions not covered in the blog post please use this forum post dedicated to this topic.

    Umbraco HQ is monitoring questions on this topic closely for the next few days.

    You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.

    We will not be answering questions on how the vulnerability can be exploited in order to give everyone a fair chance to get their sites updated first.

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 17, 2020 @ 07:13
    Sebastiaan Janssen
    0

    Note: we expect similar questions to the previous security update for ClientDependency, try to see if you can find an answer to your question in the older topic first: https://our.umbraco.com/forum/using-umbraco-and-getting-started//93808-security-update-for-september-2018

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 17, 2020 @ 07:26
    Sebastiaan Janssen
    1

    Regarding this tweet:

    https://twitter.com/FyinInc/status/1239814202400759809

    enter image description here

    We posted a dll for .NET 3.5, 4.0 and 4.5 the last time ClientDependency needed to be updated. This turned out to be unnecessary, we have only posted the .NET 3.5 version of the dll this time, which works with all other .NET configurations. There was no need to differentiate the three frameworks.

  • Darren Ferguson 1022 posts 3258 karma points MVP c-trib
    Mar 17, 2020 @ 13:54
    Darren Ferguson
    0

    Hi Seb,

    Has the location where files generated by the ClientDependency changed at all?

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 17, 2020 @ 14:11
    Sebastiaan Janssen
    0

    It hasn't, why do you ask?

  • Darren Ferguson 1022 posts 3258 karma points MVP c-trib
    Mar 17, 2020 @ 14:25
    Darren Ferguson
    0

    I'm noting that some patched sites don't create a ClientDependency folder in ~/AppData/Temp

  • M 34 posts 245 karma points
    Mar 17, 2020 @ 14:40
    M
    0

    I've also noticed this. Not sure when/how often they're normally created though.

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 17, 2020 @ 15:01
    Sebastiaan Janssen
    0

    Those files only get created when compilation debug="false" in the web.config and DependencyHandler.axd actually gets used. This should happen after you go to the login screen for the backoffice or to the frontend of your site if CDF is used on the in your frontend templates.

    It is possible that with some configuration settings in web.config that the App_Data/TEMP folder is being located somewhere else. For example: https://our.umbraco.com/documentation/getting-started/setup/server-setup/load-balancing/file-system-replication#non-replicated-files

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 17, 2020 @ 15:11
    Sebastiaan Janssen
    0

    Additionally, you might want to check ClientDependency.config since the storage directory is configurable:

    <!-- A file map provider stores references to dependency files by an id to be used in the handler URL when using the MappedId Url type -->
    <fileMapProviders>
      <add name="XmlFileMap" type="ClientDependency.Core.CompositeFiles.Providers.XmlFileMapper, ClientDependency.Core" 
          mapPath="~/App_Data/TEMP/ClientDependency" />
    </fileMapProviders>
    
  • M 34 posts 245 karma points
    Mar 17, 2020 @ 15:46
    M
    0

    Mine are live, version 7 sites (not running debug), using CDF on front end. They had files in ~/AppData/Temp/ClientDependency but nothing is being rewritten after dropping the new dll.

    Does the CDF version in ClientDependency.config need updating?

    Everything seems to be working ok still.

  • Steve Smith 71 posts 151 karma points
    Mar 17, 2020 @ 16:33
    Steve Smith
    0

    I was looking to answer a similar question.

    We're running a site as an Azure Web App. The ClientDependency.config file lists:

    ~/App_Data/TEMP/ClientDependency

    But we have no such folder.

    Links to JavaScript dependencies are still using with DependencyHandler.axd (and working) - just can't find the files.

  • Kevin Jump 1730 posts 11095 karma points MVP 4x c-trib
    Mar 17, 2020 @ 20:03
    Kevin Jump
    1

    If your setup has the 'LocaltempStorage' settings then the files will be located in the %TEMP% folder for the web app.

    In the DebugConsole (Kudu) You can't see these files by default :( although you can change a setting so you can https://our.umbraco.com/forum/using-umbraco-and-getting-started/92967-azure-umbracolocaltempstorage-location-and-clearing-temp-files

    Alternatively the client dependency health check package will check and clear the folder

  • Steve Morgan 1111 posts 3508 karma points c-trib
    Mar 17, 2020 @ 19:24
    Steve Morgan
    0

    In a separate question.

    I noticed when I've used the nuget update method the web.config is modified

    Mainly

    <add verb="*" path="DependencyHandler.axd" type="ClientDependency.Core.CompositeFiles.CompositeDependencyHandler, ClientDependency.Core " />
    

    The verb is changed to: verb="GET"

    And a few other bits. Do these need manually merging if you just copy the dlls in?

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 18, 2020 @ 08:09
    Sebastiaan Janssen
    1

    Thanks Steve. It doesn't really matter, I think it only responds to GET verbs anyway, but if it doesn't then there's also no harm if other verbs are use.

  • ElonTech 1 post 20 karma points
    Mar 17, 2020 @ 21:57
    ElonTech
    0

    When I try to use the new ClientDependency it throws an error. "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
    System.Security.Cryptography.MD5CryptoServiceProvider..ctor()

    Is there another version that is FIPs compliant?

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 18, 2020 @ 08:08
    Sebastiaan Janssen
    0

    ElonTech: sorry about that, I just noticed that FIPS compliance is being set to false for some reason in the .NET 3.5 version. https://github.com/Shazwazza/ClientDependency/blob/e7adbb50f440825754ddcb1ce61b0028dc551f4e/src/ClientDependency.Core/Config/ClientDependencySection.cs#L129

    This is because the config api to read CryptoConfig.AllowOnlyFipsAlgorithms doesn't exist in .NET 3.5.

    You can download the NuGet package (https://www.nuget.org/api/v2/package/ClientDependency/1.9.9) and open it in your favorite ZIP tool. The nupkg file is just a zip file so if you rename it to clientdependency.1.9.9.zip then you can open it.

    From there you can go to the lib folder and use either the net40 or net45 version of the dll, whichever one is appropriate for your setup. Those two are FIPS compliant!

    enter image description here

  • Chris Kim 37 posts 202 karma points c-trib
    Mar 17, 2020 @ 22:26
    Chris Kim
    0

    We have a shared server with a number of Umbraco sites hosted on it. For the security patch in September 2018 I wrote a PowerShell script to automate replacing the dll and deleting the cached files. Luckily I could just reuse the script for this new patch.

    Here it is if anyone is in a similar situation.

    You need to have the new dll in the same directory as the powershell script (save it as a .ps1). Run PowerShell with Administrator rights to have access to IIS, you may also need to modify your execution policy (ask Google).

    It grabs all started sites from IIS, checks if they are umbraco sites (by looking for the folder "umbraco"), then checks if they are using a different version of the dll, if so replaces it and deletes the cache folder(s). I note that the new security advisory recommends backing up the cache folder to check for any data breaches - this script does NOT do that, it just deletes them.

    After each site it has actioned, it asks you to confirm with Enter. I wrote it that way as the sites restart immediately and if there are lots of sites this could max out the CPU on the server, so just keep an eye on CPU and do a few at a time.

    Obviously use at your own risk, so please make sure you understand what the script does.

    Script has been used with Umbraco 7 and 8

    Import-Module Webadministration
    
    # copy the current version of ClientDependency.Core.dll into the folder that this script is executed in!
    $UpdatedCdPath = Join-Path $PSScriptRoot 'ClientDependency.Core.dll'
    $UpdatedCdVersion = (Get-Item $UpdatedCdPath).VersionInfo.FileVersion
    
    function GetCms([parameter(Mandatory=$true)]$website)
    {
        $cms = ""
        if (Test-Path $(Join-Path $($webapp.physicalPath) "umbraco/"))
        {
            return "umbraco"
        }
        else
        {
            return "other"
        }
    }
    
    function GetUmbracoVersion([parameter(Mandatory=$true)]$website)
    {
        $umbracoVersion = ""
        $webConfigPath = Join-Path $($webapp.physicalPath) "web.config"
        if(Test-Path $webConfigPath)
        {
            [xml]$webConfig = Get-Content -Path $webConfigPath
            if($webConfig.configuration.appSettings)
            {
                $appSettings = $webConfig.configuration.appSettings
                if($appSettings.configSource)
                {
                    [xml]$appSettingsXml = Get-Content -Path $(Join-Path $($webapp.physicalPath) $appSettings.configSource)
                    $appSettings = $appSettingsXml.appSettings
                }
                foreach($setting in $appSettings.add)
                {
                    If($setting.key -eq "umbracoConfigurationStatus")
                    {
                        $umbracoVersion = $setting.value
                    }
                    If($setting.key -eq "Umbraco.Core.ConfigurationStatus")
                    {
                        $umbracoVersion = $setting.value
                    }
                }
            }
        }
        return $umbracoVersion
    }
    
    function UpdateClientDependency([parameter(Mandatory=$true)]$website, $item)
    {
        $clientDependencyPath = Join-Path $($webapp.physicalPath) "bin\ClientDependency.Core.dll"
        if(Test-Path $clientDependencyPath)
        {
            $item.CdVersionPre = (Get-Item $clientDependencyPath).VersionInfo.FileVersion
            if($item.CdVersionPre -ne $UpdatedCdVersion)
            {
                $binFolder = Join-Path $($webapp.physicalPath) "bin"
                #Copy-Item $UpdatedCdPath -Destination $binFolder -WhatIf
                Copy-Item $UpdatedCdPath -Destination $binFolder
    
                $tempFolder = Join-Path $($webapp.physicalPath) "App_Data\TEMP\ClientDependency"
    
                #Get-ChildItem -Path $tempFolder -Include *.* -File -Recurse | foreach { Write $_.Name }
                Get-ChildItem -Path $tempFolder -Include *.* -File -Recurse | foreach { $_.Delete()}
                $item.TempFolderItems = (Get-ChildItem -Path $tempFolder | Measure-Object ).Count;
    
                # some sites seem to have this folder as well
                $tempFolder2 = Join-Path $($webapp.physicalPath) "App_Data\ClientDependency"
                if(Test-Path $tempFolder2)
                {
                    Get-ChildItem -Path $tempFolder2 -Include *.* -File -Recurse | foreach { $_.Delete()}
                }
    
                $item.CdVersionPost = (Get-Item $clientDependencyPath).VersionInfo.FileVersion
    
                Read-Host "Updated $($website.name). Press ENTER to continue..."
            }
        }
    }
    
    function PatchWebsites()
    {
        $list = @()
        foreach ($webapp in get-childitem IIS:\Sites\)
        {
            $cms = GetCms $webapp
            if($cms -eq "umbraco")
            {
                $item = @{}
                $item.WebAppName = $webapp.name
                $item.CmsVersion = GetUmbracoVersion $webapp
                UpdateClientDependency $webapp $item
    
                $obj = New-Object PSObject -Property $item
                $list += $obj
            }
        }
        return $list
    }
    
    
    $websites = PatchWebsites
    
    Write $websites | Format-Table WebAppName,CmsVersion,CdVersionPre,CdVersionPost,TempFolderItems -autosize
    
  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 18, 2020 @ 07:49
    Sebastiaan Janssen
    1

    As for the TEMP folder location, Kevin's package source gives us the correct way to find it. Unfortunately, the package currently has no files so we can't use it for now.

    I've whipped up a little class you can drop into App_Code with 3 WebApi endpoints: https://gist.github.com/nul800sebastiaan/2dfb053cc5523e735e48afbed456f091

    https://{yoursite}/Umbraco/Api/TempFile/GetCDFFiles

    Lists all the ClientDependency TEMP directory and all the files in it.

    enter image description here

    https://{yoursite}/Umbraco/Api/TempFile/GetCDFTempFiles

    Zips and downloads all the files in the ClientDependency TEMP directory

    enter image description here

    https://{yoursite}/Umbraco/Api/TempFile/DeleteCDFTempFiles

    Deletes all the files in the ClientDependency TEMP directory and lists the files that have been deleted.

    enter image description here

    ⚠⚠⚠ Warning: these are PUBLIC endpoints that anybody can use!

    Make sure to delete the file from App_Code once you're done!

  • Kevin Jump 1730 posts 11095 karma points MVP 4x c-trib
    Mar 18, 2020 @ 11:33
    Kevin Jump
    1

    Hi,

    I've added a packaged version of the health check now, if someone wants it.

    https://our.umbraco.com/packages/developer-tools/health-check-for-client-dependency-framework/

  • Chris Kim 37 posts 202 karma points c-trib
    Mar 18, 2020 @ 21:13
    Chris Kim
    0

    It's worth noting that this requires a reference to System.IO.Compression.FileSystem in the project, which our 7.13 project where I just tried to use this didn't have.

  • Kevin Jump 1730 posts 11095 karma points MVP 4x c-trib
    Mar 18, 2020 @ 21:15
    Kevin Jump
    0

    Hi, you might have installed the v8 one ? There is a v7 and v8 version.

  • Chris Kim 37 posts 202 karma points c-trib
    Mar 18, 2020 @ 21:27
    Chris Kim
    0

    Sorry Kevin, that was in response to the class that Sebastiaan Janssen posted in his gist.

  • Christian A 23 posts 97 karma points c-trib
    Mar 18, 2020 @ 08:57
    Christian A
    1

    We have a few old solutions running Umbraco 7.2.4. Installing the DLL and wiping the ClientDependency folder resulted in Umbraco backoffice not loading, with the following Javascript error:

    enter image description here

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 18, 2020 @ 11:56
    Sebastiaan Janssen
    1

    @Christian - no such problem here. Did you scroll through the older forum topic? Might be a problem with nuPickers or Multi URL picker?

    enter image description here

  • Christian A 23 posts 97 karma points c-trib
    Mar 18, 2020 @ 13:19
    Christian A
    0

    Hello Sebastiaan,

    Yes, i scrolled through all feedback that has been posted so far. It works perfectly on all the newer solutions, but all the 7.2.x ones get exactly the same error. Must be some custom code somewhere that breaks it then.

    Will have to investigate further then. Thanks for looking into it anyway.

  • Darren Ferguson 1022 posts 3258 karma points MVP c-trib
    Mar 18, 2020 @ 10:02
    Darren Ferguson
    0

    Don't you need to update your advisory - you are just directing everyone to the ~/App_Data folder.

    As discussed here - that isn't always where the files are - sometimes they will be placed in your environment temp directory - and you can also configure this.

    The advisory should probably be updated - to detail how to find your client dependency generated files. There is a link to this thread, but I think it is a bit of a stretch to imagine that everyone will follow through and find the details above.

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 18, 2020 @ 11:44
    Sebastiaan Janssen
    0

    Yep thanks Darren, I don't have the rights to edit the blog any more so I had to wait for some help. It's linking here now for more info.

  • Wayne 10 posts 90 karma points
    Mar 18, 2020 @ 11:55
    Wayne
    0

    Hi all,

    Just seen the post on the update.

    Could someone please help on confirming my steps to update my site.

    I'm running Umbraco 7.8.1.

    Are these steps correct

    • Download dll (http://umbracoreleases.blob.core.windows.net/securitypatches/ClientDependency.Core.dll.1.9.9.zip) and paste into bin directory of my Umbraco CMS, and replace the old client dependency dll with the new one.

    • Stage, check-in and push new dll to source control

    • Delete ~/App_Data/Temp/ClientDependency

    Thanks,

    Wayne

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 18, 2020 @ 12:00
    Sebastiaan Janssen
    0

    Sounds good Wayne. Before deleting the TEMP files, if you want to see if any cached files look suspicious (sign of a breach).

  • pbl_dk 131 posts 479 karma points
    Mar 18, 2020 @ 12:09
    pbl_dk
    0

    @Seb, How do you check for breaches? everything in the files seems to be crypted..

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 18, 2020 @ 13:02
    Sebastiaan Janssen
    2

    I don't have a comprehensive guide for you I'm afraid. All of the files in the TEMP folder can be opened in 7zip and the inner file can be extracted. The inner files are plain text and should only contain Javascript and CSS. As soon as you see things that looks like anything else you should be worried.

  • pbl_dk 131 posts 479 karma points
    Mar 19, 2020 @ 15:37
    pbl_dk
    0

    Works. I renamed the files to .zip and extracted, they were just filled with javascript. No compromising content.

  • Wayne 10 posts 90 karma points
    Mar 18, 2020 @ 12:02
    Wayne
    0

    Cool, will do, was just double-checking committing the dll to source control.

    Thanks,

    Wayne

  • Anthony Edge 20 posts 54 karma points
    Mar 18, 2020 @ 22:46
    Anthony Edge
    0

    I could have sworn the original post mentioned deleting all files in ~/AppData/ClientDependency or ~/AppData/Temp/ClientDependency after the BIN file upgrade. But I don't see that advice anymore. Is it still current?

  • Sebastiaan Janssen 4880 posts 14554 karma points MVP admin hq
    Mar 19, 2020 @ 14:53
    Sebastiaan Janssen
    0

    Anthony: we corrected that soon after you asked, thank you - that was accidentally removed! I forgot to reply here.

    I will make sure I have blog editing rights for future security problems since going through an intermediary this time has not been very efficient.

  • kobelinh24 2 posts 22 karma points
    Apr 09, 2020 @ 17:03
    kobelinh24
    0

    Dear Seb,

    I'm trying to apply the 1.9.9 version of ClientDependency, however I couldn't find any later version than my current one (1.8.4) in NuGet, do you know the reason behind this?

  • Anders Bjerner 434 posts 2426 karma points MVP 4x admin c-trib
    Apr 09, 2020 @ 20:24
    Anders Bjerner
    0

    Newest version is here: https://www.nuget.org/packages/ClientDependency/1.9.9

    I think earlier versions have been unlisted on NuGet as they contain vulnerabilities.

  • kobelinh24 2 posts 22 karma points
    Apr 12, 2020 @ 19:34
    kobelinh24
    0

    Hi Anders, thank you for your answer. I would particularly like to have the package installed via the NuGet console so I can get some automatic code updates in the config too, but somehow my package manager indicates that 1.8.4 is the latest available version. Is there anyway I can fix this?

  • Mohamed Hassan 3 posts 73 karma points
    25 days ago
    Mohamed Hassan
    0

    Dears, I Upgraded from V 7.7.6 to V 7.15.3 in both versions i got blank page with the attached error if debug=false in pre production or production environment but in testing environment it works fine Note : i replace new ClientDependency.Core.dll but the same issue still appears. enter image description here

  • Chris Kim 37 posts 202 karma points c-trib
    23 days ago
    Chris Kim
    0

    Did you clear the ClientDependency folders in the App_Data/TEMP directory? Has it changed the version in config/clientdependency.config?

    Note that the ClientDependency patch was in 7.15.4, so 7.15.3 doesn't seem like the right version to upgrade to, unless you also manually updated ClientDependency to 1.9.9

  • Mohamed Hassan 3 posts 73 karma points
    23 days ago
    Mohamed Hassan
    0

    yes I cleared ClientDependency folders,updated version in clientdependency.config and updated ClientDependency to 1.9.9 manually.

    issue still appears.

    if i upgrade to 7.15.4 is this issue will be solved?

  • Chris Kim 37 posts 202 karma points c-trib
    23 days ago
    Chris Kim
    1

    I doubt it. The upgrade from 7.15.3 to 7.15.4 was just to update the ClientDependency package. I am guessing something else may have gone wrong with your upgrade? Maybe compare your files to a vanilla 7.15.4.

    I have seen that blank backoffice issue in the past, but that was a long time ago using 7.1.x. Can't say I've seen that issue with upgrades from versions > 7.6, sorry.

Please Sign in or register to post replies

Write your reply to:

Draft