Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    24 days ago
    Sebastiaan Janssen
    0

    Security update for March 2020 [now available]

    A security update for Umbraco 4.11.9+ (all versions after that) is now available, read all about it in the blog post: https://umbraco.com/blog/security-advisory-17th-of-march-patch-for-your-site-is-now-available/

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    23 days ago
    Sebastiaan Janssen
    0

    If you have additional questions not covered in the blog post please use this forum post dedicated to this topic.

    Umbraco HQ is monitoring questions on this topic closely for the next few days.

    You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.

    We will not be answering questions on how the vulnerability can be exploited in order to give everyone a fair chance to get their sites updated first.

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    23 days ago
    Sebastiaan Janssen
    0

    Note: we expect similar questions to the previous security update for ClientDependency, try to see if you can find an answer to your question in the older topic first: https://our.umbraco.com/forum/using-umbraco-and-getting-started//93808-security-update-for-september-2018

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    23 days ago
    Sebastiaan Janssen
    1

    Regarding this tweet:

    https://twitter.com/FyinInc/status/1239814202400759809

    enter image description here

    We posted a dll for .NET 3.5, 4.0 and 4.5 the last time ClientDependency needed to be updated. This turned out to be unnecessary, we have only posted the .NET 3.5 version of the dll this time, which works with all other .NET configurations. There was no need to differentiate the three frameworks.

  • Darren Ferguson 1022 posts 3258 karma points MVP c-trib
    22 days ago
    Darren Ferguson
    0

    Hi Seb,

    Has the location where files generated by the ClientDependency changed at all?

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    22 days ago
    Sebastiaan Janssen
    0

    It hasn't, why do you ask?

  • Darren Ferguson 1022 posts 3258 karma points MVP c-trib
    22 days ago
    Darren Ferguson
    0

    I'm noting that some patched sites don't create a ClientDependency folder in ~/AppData/Temp

  • M 33 posts 244 karma points
    22 days ago
    M
    0

    I've also noticed this. Not sure when/how often they're normally created though.

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    22 days ago
    Sebastiaan Janssen
    0

    Those files only get created when compilation debug="false" in the web.config and DependencyHandler.axd actually gets used. This should happen after you go to the login screen for the backoffice or to the frontend of your site if CDF is used on the in your frontend templates.

    It is possible that with some configuration settings in web.config that the App_Data/TEMP folder is being located somewhere else. For example: https://our.umbraco.com/documentation/getting-started/setup/server-setup/load-balancing/file-system-replication#non-replicated-files

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    22 days ago
    Sebastiaan Janssen
    0

    Additionally, you might want to check ClientDependency.config since the storage directory is configurable:

    <!-- A file map provider stores references to dependency files by an id to be used in the handler URL when using the MappedId Url type -->
    <fileMapProviders>
      <add name="XmlFileMap" type="ClientDependency.Core.CompositeFiles.Providers.XmlFileMapper, ClientDependency.Core" 
          mapPath="~/App_Data/TEMP/ClientDependency" />
    </fileMapProviders>
    
  • M 33 posts 244 karma points
    22 days ago
    M
    0

    Mine are live, version 7 sites (not running debug), using CDF on front end. They had files in ~/AppData/Temp/ClientDependency but nothing is being rewritten after dropping the new dll.

    Does the CDF version in ClientDependency.config need updating?

    Everything seems to be working ok still.

  • Steve Smith 67 posts 147 karma points
    22 days ago
    Steve Smith
    0

    I was looking to answer a similar question.

    We're running a site as an Azure Web App. The ClientDependency.config file lists:

    ~/App_Data/TEMP/ClientDependency

    But we have no such folder.

    Links to JavaScript dependencies are still using with DependencyHandler.axd (and working) - just can't find the files.

  • Kevin Jump 1674 posts 10587 karma points MVP 3x c-trib
    22 days ago
    Kevin Jump
    1

    If your setup has the 'LocaltempStorage' settings then the files will be located in the %TEMP% folder for the web app.

    In the DebugConsole (Kudu) You can't see these files by default :( although you can change a setting so you can https://our.umbraco.com/forum/using-umbraco-and-getting-started/92967-azure-umbracolocaltempstorage-location-and-clearing-temp-files

    Alternatively the client dependency health check package will check and clear the folder

  • Steve Morgan 1056 posts 3286 karma points c-trib
    22 days ago
    Steve Morgan
    0

    In a separate question.

    I noticed when I've used the nuget update method the web.config is modified

    Mainly

    <add verb="*" path="DependencyHandler.axd" type="ClientDependency.Core.CompositeFiles.CompositeDependencyHandler, ClientDependency.Core " />
    

    The verb is changed to: verb="GET"

    And a few other bits. Do these need manually merging if you just copy the dlls in?

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    22 days ago
    Sebastiaan Janssen
    1

    Thanks Steve. It doesn't really matter, I think it only responds to GET verbs anyway, but if it doesn't then there's also no harm if other verbs are use.

  • ElonTech 1 post 20 karma points
    22 days ago
    ElonTech
    0

    When I try to use the new ClientDependency it throws an error. "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
    System.Security.Cryptography.MD5CryptoServiceProvider..ctor()

    Is there another version that is FIPs compliant?

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    22 days ago
    Sebastiaan Janssen
    0

    ElonTech: sorry about that, I just noticed that FIPS compliance is being set to false for some reason in the .NET 3.5 version. https://github.com/Shazwazza/ClientDependency/blob/e7adbb50f440825754ddcb1ce61b0028dc551f4e/src/ClientDependency.Core/Config/ClientDependencySection.cs#L129

    This is because the config api to read CryptoConfig.AllowOnlyFipsAlgorithms doesn't exist in .NET 3.5.

    You can download the NuGet package (https://www.nuget.org/api/v2/package/ClientDependency/1.9.9) and open it in your favorite ZIP tool. The nupkg file is just a zip file so if you rename it to clientdependency.1.9.9.zip then you can open it.

    From there you can go to the lib folder and use either the net40 or net45 version of the dll, whichever one is appropriate for your setup. Those two are FIPS compliant!

    enter image description here

  • Chris Kim 32 posts 154 karma points c-trib
    22 days ago
    Chris Kim
    0

    We have a shared server with a number of Umbraco sites hosted on it. For the security patch in September 2018 I wrote a PowerShell script to automate replacing the dll and deleting the cached files. Luckily I could just reuse the script for this new patch.

    Here it is if anyone is in a similar situation.

    You need to have the new dll in the same directory as the powershell script (save it as a .ps1). Run PowerShell with Administrator rights to have access to IIS, you may also need to modify your execution policy (ask Google).

    It grabs all started sites from IIS, checks if they are umbraco sites (by looking for the folder "umbraco"), then checks if they are using a different version of the dll, if so replaces it and deletes the cache folder(s). I note that the new security advisory recommends backing up the cache folder to check for any data breaches - this script does NOT do that, it just deletes them.

    After each site it has actioned, it asks you to confirm with Enter. I wrote it that way as the sites restart immediately and if there are lots of sites this could max out the CPU on the server, so just keep an eye on CPU and do a few at a time.

    Obviously use at your own risk, so please make sure you understand what the script does.

    Script has been used with Umbraco 7 and 8

    Import-Module Webadministration
    
    # copy the current version of ClientDependency.Core.dll into the folder that this script is executed in!
    $UpdatedCdPath = Join-Path $PSScriptRoot 'ClientDependency.Core.dll'
    $UpdatedCdVersion = (Get-Item $UpdatedCdPath).VersionInfo.FileVersion
    
    function GetCms([parameter(Mandatory=$true)]$website)
    {
        $cms = ""
        if (Test-Path $(Join-Path $($webapp.physicalPath) "umbraco/"))
        {
            return "umbraco"
        }
        else
        {
            return "other"
        }
    }
    
    function GetUmbracoVersion([parameter(Mandatory=$true)]$website)
    {
        $umbracoVersion = ""
        $webConfigPath = Join-Path $($webapp.physicalPath) "web.config"
        if(Test-Path $webConfigPath)
        {
            [xml]$webConfig = Get-Content -Path $webConfigPath
            if($webConfig.configuration.appSettings)
            {
                $appSettings = $webConfig.configuration.appSettings
                if($appSettings.configSource)
                {
                    [xml]$appSettingsXml = Get-Content -Path $(Join-Path $($webapp.physicalPath) $appSettings.configSource)
                    $appSettings = $appSettingsXml.appSettings
                }
                foreach($setting in $appSettings.add)
                {
                    If($setting.key -eq "umbracoConfigurationStatus")
                    {
                        $umbracoVersion = $setting.value
                    }
                    If($setting.key -eq "Umbraco.Core.ConfigurationStatus")
                    {
                        $umbracoVersion = $setting.value
                    }
                }
            }
        }
        return $umbracoVersion
    }
    
    function UpdateClientDependency([parameter(Mandatory=$true)]$website, $item)
    {
        $clientDependencyPath = Join-Path $($webapp.physicalPath) "bin\ClientDependency.Core.dll"
        if(Test-Path $clientDependencyPath)
        {
            $item.CdVersionPre = (Get-Item $clientDependencyPath).VersionInfo.FileVersion
            if($item.CdVersionPre -ne $UpdatedCdVersion)
            {
                $binFolder = Join-Path $($webapp.physicalPath) "bin"
                #Copy-Item $UpdatedCdPath -Destination $binFolder -WhatIf
                Copy-Item $UpdatedCdPath -Destination $binFolder
    
                $tempFolder = Join-Path $($webapp.physicalPath) "App_Data\TEMP\ClientDependency"
    
                #Get-ChildItem -Path $tempFolder -Include *.* -File -Recurse | foreach { Write $_.Name }
                Get-ChildItem -Path $tempFolder -Include *.* -File -Recurse | foreach { $_.Delete()}
                $item.TempFolderItems = (Get-ChildItem -Path $tempFolder | Measure-Object ).Count;
    
                # some sites seem to have this folder as well
                $tempFolder2 = Join-Path $($webapp.physicalPath) "App_Data\ClientDependency"
                if(Test-Path $tempFolder2)
                {
                    Get-ChildItem -Path $tempFolder2 -Include *.* -File -Recurse | foreach { $_.Delete()}
                }
    
                $item.CdVersionPost = (Get-Item $clientDependencyPath).VersionInfo.FileVersion
    
                Read-Host "Updated $($website.name). Press ENTER to continue..."
            }
        }
    }
    
    function PatchWebsites()
    {
        $list = @()
        foreach ($webapp in get-childitem IIS:\Sites\)
        {
            $cms = GetCms $webapp
            if($cms -eq "umbraco")
            {
                $item = @{}
                $item.WebAppName = $webapp.name
                $item.CmsVersion = GetUmbracoVersion $webapp
                UpdateClientDependency $webapp $item
    
                $obj = New-Object PSObject -Property $item
                $list += $obj
            }
        }
        return $list
    }
    
    
    $websites = PatchWebsites
    
    Write $websites | Format-Table WebAppName,CmsVersion,CdVersionPre,CdVersionPost,TempFolderItems -autosize
    
  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    22 days ago
    Sebastiaan Janssen
    1

    As for the TEMP folder location, Kevin's package source gives us the correct way to find it. Unfortunately, the package currently has no files so we can't use it for now.

    I've whipped up a little class you can drop into App_Code with 3 WebApi endpoints: https://gist.github.com/nul800sebastiaan/2dfb053cc5523e735e48afbed456f091

    https://{yoursite}/Umbraco/Api/TempFile/GetCDFFiles

    Lists all the ClientDependency TEMP directory and all the files in it.

    enter image description here

    https://{yoursite}/Umbraco/Api/TempFile/GetCDFTempFiles

    Zips and downloads all the files in the ClientDependency TEMP directory

    enter image description here

    https://{yoursite}/Umbraco/Api/TempFile/DeleteCDFTempFiles

    Deletes all the files in the ClientDependency TEMP directory and lists the files that have been deleted.

    enter image description here

    ⚠⚠⚠ Warning: these are PUBLIC endpoints that anybody can use!

    Make sure to delete the file from App_Code once you're done!

  • Kevin Jump 1674 posts 10587 karma points MVP 3x c-trib
    21 days ago
    Kevin Jump
    0

    Hi,

    I've added a packaged version of the health check now, if someone wants it.

    https://our.umbraco.com/packages/developer-tools/health-check-for-client-dependency-framework/

  • Chris Kim 32 posts 154 karma points c-trib
    21 days ago
    Chris Kim
    0

    It's worth noting that this requires a reference to System.IO.Compression.FileSystem in the project, which our 7.13 project where I just tried to use this didn't have.

  • Kevin Jump 1674 posts 10587 karma points MVP 3x c-trib
    21 days ago
    Kevin Jump
    0

    Hi, you might have installed the v8 one ? There is a v7 and v8 version.

  • Chris Kim 32 posts 154 karma points c-trib
    21 days ago
    Chris Kim
    0

    Sorry Kevin, that was in response to the class that Sebastiaan Janssen posted in his gist.

  • Christian A 23 posts 96 karma points c-trib
    22 days ago
    Christian A
    0

    We have a few old solutions running Umbraco 7.2.4. Installing the DLL and wiping the ClientDependency folder resulted in Umbraco backoffice not loading, with the following Javascript error:

    enter image description here

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    21 days ago
    Sebastiaan Janssen
    0

    @Christian - no such problem here. Did you scroll through the older forum topic? Might be a problem with nuPickers or Multi URL picker?

    enter image description here

  • Christian A 23 posts 96 karma points c-trib
    21 days ago
    Christian A
    0

    Hello Sebastiaan,

    Yes, i scrolled through all feedback that has been posted so far. It works perfectly on all the newer solutions, but all the 7.2.x ones get exactly the same error. Must be some custom code somewhere that breaks it then.

    Will have to investigate further then. Thanks for looking into it anyway.

  • Darren Ferguson 1022 posts 3258 karma points MVP c-trib
    22 days ago
    Darren Ferguson
    0

    Don't you need to update your advisory - you are just directing everyone to the ~/App_Data folder.

    As discussed here - that isn't always where the files are - sometimes they will be placed in your environment temp directory - and you can also configure this.

    The advisory should probably be updated - to detail how to find your client dependency generated files. There is a link to this thread, but I think it is a bit of a stretch to imagine that everyone will follow through and find the details above.

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    21 days ago
    Sebastiaan Janssen
    0

    Yep thanks Darren, I don't have the rights to edit the blog any more so I had to wait for some help. It's linking here now for more info.

  • Wayne 6 posts 76 karma points
    21 days ago
    Wayne
    0

    Hi all,

    Just seen the post on the update.

    Could someone please help on confirming my steps to update my site.

    I'm running Umbraco 7.8.1.

    Are these steps correct

    • Download dll (http://umbracoreleases.blob.core.windows.net/securitypatches/ClientDependency.Core.dll.1.9.9.zip) and paste into bin directory of my Umbraco CMS, and replace the old client dependency dll with the new one.

    • Stage, check-in and push new dll to source control

    • Delete ~/App_Data/Temp/ClientDependency

    Thanks,

    Wayne

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    21 days ago
    Sebastiaan Janssen
    0

    Sounds good Wayne. Before deleting the TEMP files, if you want to see if any cached files look suspicious (sign of a breach).

  • Elitenet 131 posts 479 karma points
    21 days ago
    Elitenet
    0

    @Seb, How do you check for breaches? everything in the files seems to be crypted..

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    21 days ago
    Sebastiaan Janssen
    2

    I don't have a comprehensive guide for you I'm afraid. All of the files in the TEMP folder can be opened in 7zip and the inner file can be extracted. The inner files are plain text and should only contain Javascript and CSS. As soon as you see things that looks like anything else you should be worried.

  • Elitenet 131 posts 479 karma points
    20 days ago
    Elitenet
    0

    Works. I renamed the files to .zip and extracted, they were just filled with javascript. No compromising content.

  • Wayne 6 posts 76 karma points
    21 days ago
    Wayne
    0

    Cool, will do, was just double-checking committing the dll to source control.

    Thanks,

    Wayne

  • Anthony Edge 19 posts 53 karma points
    21 days ago
    Anthony Edge
    0

    I could have sworn the original post mentioned deleting all files in ~/AppData/ClientDependency or ~/AppData/Temp/ClientDependency after the BIN file upgrade. But I don't see that advice anymore. Is it still current?

  • Sebastiaan Janssen 4876 posts 14511 karma points MVP admin hq
    20 days ago
    Sebastiaan Janssen
    0

    Anthony: we corrected that soon after you asked, thank you - that was accidentally removed! I forgot to reply here.

    I will make sure I have blog editing rights for future security problems since going through an intermediary this time has not been very efficient.

Please Sign in or register to post replies

Write your reply to:

Draft