Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 16, 2017 @ 08:30
    Sebastiaan Janssen
    6

    Questions About ClientDependency Security Advisory Feb2017

    If you have questions about today's security advisory, please ask here and we'll get back to you ASAP.

  • Rob Watkins 343 posts 593 karma points
    Feb 16, 2017 @ 10:11
    Rob Watkins
    2

    Can you give us a bit more info on what can be exposed? Could it include login info / config files?

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 16, 2017 @ 10:16
    Sebastiaan Janssen
    2

    We are keeping the details vague to give people a chance to update and to prevent making it easy for bad actors.

  • Rob Watkins 343 posts 593 karma points
    Feb 16, 2017 @ 10:18
    Rob Watkins
    1

    Okay np, thought that might be the case!

  • Rob Brown 1 post 71 karma points
    May 01, 2017 @ 18:54
    Rob Brown
    0

    I have made a tester for the issue on my blog. I'm happy to link to it if allowed here?

  • Mark Bagnall 1 post 71 karma points
    Feb 16, 2017 @ 10:27
    Mark Bagnall
    0

    Hi, Is the problem an issue with ClientDependency itself, or the combination of Umbraco and ClientDependency?

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 16, 2017 @ 10:29
    Sebastiaan Janssen
    0

    It is an issue purely in the ClientDependency framework. But since this library is required by Umbraco (we use it a lot in the backoffice), it affects Umbraco installs.

  • Jason Harris 2 posts 72 karma points
    Feb 16, 2017 @ 11:02
    Jason Harris
    0

    Hi! We have Umbraco 6.1.6 with ClientDependency.Core of 1.7.0.4.

    The update states the new version is fully compatible with 1.8.2.1. Will 1.8.3.1 be fully compatible with 1.7.0.4 as well?

    Thanks!

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 16, 2017 @ 11:08
    Sebastiaan Janssen
    0

    There shouldn't be any problem updating from 1.7.0.4. Always make sure to test the update locally first though.

  • Jason Harris 2 posts 72 karma points
    Feb 16, 2017 @ 11:09
    Jason Harris
    0

    Thanks Sebastiaan. :-)

  • Jan Molbech 18 posts 109 karma points
    Feb 16, 2017 @ 12:57
    Jan Molbech
    0

    I've tried to update from 7.4.1 but now i get an error regarding UmbracoDefaultOwinStartup.

    We've overriden the Configuration method, but now we get the following error

    Error   CS0246  The type or namespace name 'UmbracoDefaultOwinStartup' could not be found (are you missing a using directive or an assembly reference?) 
    

    we are referencing Umbraco.Web, but this reference is apparently no longer used (since it's greyed out in Visual Studio)

    What to do?

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 16, 2017 @ 13:02
    Sebastiaan Janssen
    0

    Hi Jan, this doesn't seem to have anything to do with updating the ClientDependency.Core.dll - I suggest you create a new topic for this problem.

  • Phill 115 posts 288 karma points
    Feb 16, 2017 @ 13:33
    Phill
    0

    Hi there,

    Tried to copy file over to bin on a 6.1.6 site and get the following error: Could not load file or assembly 'ClientDependency.Core - Copy' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)

    Site is running .net 40 but I tried .45 and .35 as well just to be safe and same error on all 3. What am I missing?

    Thanks, Phill

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 16, 2017 @ 13:34
    Sebastiaan Janssen
    0

    It seems you have a ClientDependency.Core - Copy.dll next to your ClientDependency.Core.dll?

  • Phill 115 posts 288 karma points
    Feb 16, 2017 @ 14:18
    Phill
    1

    You are correct, that'll teach me for making an overly quick backup :) Thanks for pointing that out, I didn't even notice the "-Copy" in the error.

    Thanks again.

  • Phil Dye 147 posts 302 karma points
    Feb 16, 2017 @ 14:48
    Phil Dye
    0

    I appreciate you may not be able to answer this, but is the risk only to a single site being exploited, or all sites on a server that also hosts a vulnerable site?

    We're trying to work out if we need to update all sites on a shared-hosting platform, or can prioritise "more important" ones.

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 16, 2017 @ 15:17
    Sebastiaan Janssen
    0

    In principle the risk is a per-site risk, it doesn't necessarily bleed into other sites on the server. However if one site gets hacked then there's no telling what the bad actor could do with the information gained from a hack. So I would recommend prioritizing all of them as "more important". :)

    Sorry, wish I had better news.

  • Rody van Sambeek 63 posts 178 karma points
    Feb 16, 2017 @ 15:48
    Rody van Sambeek
    0

    Are previously updated sites also vulnerable?

    For example when I have a website on Umbraco 7.1.2 and later updated this website to 7.5.9. The App_data ClientDependency folders are not cleaned right? So is it neccessary to clean the ClientDependency folders also for sites who were every before 7.2.2?

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 16, 2017 @ 15:55
    Sebastiaan Janssen
    0

    Make sure to check your ClientDependency.Core.dll version to make sure it's correct.

    This is a good point though, if a bad actor has managed to extract private info out of your site, it might have been cached, I would indeed advise upgraders to clear the App_Data ClientDependency folders.

    I'll check how long caches are being kept around.

    I'll update the blog post to make sure.

  • Gerard 20 posts 77 karma points
    Feb 16, 2017 @ 18:25
    Gerard
    2

    Just to be sure:

    I also have "ClientDependency.Core.Mvc.dll" in my bin-folders.

    This is not affected or should be updated?

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 16, 2017 @ 19:05
    Sebastiaan Janssen
    1

    Only ClientDependency.Core.dll is affected.

  • Ismael 65 posts 337 karma points
    Feb 16, 2017 @ 18:54
    Ismael
    0

    Hi,

    The nuget update removed this line from the web.config

    <clientDependency configSource="config\ClientDependency.config" />
    

    Can i add it back in or was that part of the security issue? just in terms of refreshing, I would normally bump the version in that file but now the version is stored in the web.config.

    Cheers

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 16, 2017 @ 19:07
    Sebastiaan Janssen
    0

    You can add it back, shouldn't be removed. Make sure to delete the cached clientdependency files in App_Data.

  • Andrew Lansdowne 39 posts 120 karma points
    Feb 17, 2017 @ 15:46
    Andrew Lansdowne
    0

    Same happened for me , the nuget update will replace the Umbraco config line with a generic one.

    Please update the nuget instructions to say revert the web.config changes after doing the update.

    Otherwise it won't be using the umbraco ClientDependency.config file at all!

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 20, 2017 @ 12:31
    Sebastiaan Janssen
    0

    the nuget update will replace the Umbraco config line with a generic one.

    Can you explain what got replaced with what? This doesn't ring a bell. Happy to update the instructions once I understand what the problem is!

  • Andrew Lansdowne 39 posts 120 karma points
    Feb 21, 2017 @ 09:29
    Andrew Lansdowne
    0

    Hi Sebastiaan,

    I could send you a diff. But on Umbraco version 6.2.5 it did the following:

    Replaced <clientDependency configSource="config\ClientDependency.config" /> with

    <clientDependency version="1">
        <!-- Full config documentation is here: https://github.com/Shazwazza/ClientDependency/wiki/Configuration -->
      </clientDependency>
    

    Added to <system.web><pages>:

    <namespaces>
            <add namespace="ClientDependency.Core" />
          </namespaces>
    

    Replaced <add verb="*" path="DependencyHandler.axd" type="ClientDependency.Core.CompositeFiles.CompositeDependencyHandler, ClientDependency.Core " /> with <add verb="GET" path="DependencyHandler.axd" type="ClientDependency.Core.CompositeFiles.CompositeDependencyHandler, ClientDependency.Core " />

    Added to <handlers>:

    <remove name="DependencyHandler" />
          <add name="DependencyHandler" preCondition="integratedMode" verb="GET" path="DependencyHandler.axd" type="ClientDependency.Core.CompositeFiles.CompositeDependencyHandler, ClientDependency.Core " />
    

    I just reverted all those changes.

    Thanks, Andy

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 21, 2017 @ 10:53
    Sebastiaan Janssen
    0

    Thank you very much, I've updated the blog post to document this!

  • Nic 3 posts 23 karma points
    Feb 17, 2017 @ 05:48
    Nic
    0

    Hi Sebastiaan,

    We still manage an Umbraco website running version 4.7.1.1.

    Noticed this version didn't appear in your original post. Is that version affected? If so, is it ok to update the ClientDependency.Core.dll to version 1.8.3.1? If not, do you have any suggestion on how to patch it?

    Thanks.

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 17, 2017 @ 07:06
    Sebastiaan Janssen
    0

    Hi Nic, that version should already have been update 2 years ago :-)

    https://umbraco.com/blog/security-alert-update-clientdependency-immediately/

    So yes, please update it to at least 18.3.1. Just replace the dll.

  • Nic 3 posts 23 karma points
    Feb 20, 2017 @ 03:07
    Nic
    0

    Hi Sebastiaan, getting the following error:

    Could not load file or assembly 'ClientDependency.Core' or one of its dependencies. The module was expected to contain an assembly manifest.

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 20, 2017 @ 06:55
    Sebastiaan Janssen
    0

    That usually means that the .net version doesn't match.

  • Nic 3 posts 23 karma points
    Feb 21, 2017 @ 03:31
    Nic
    0

    Yeah, ended up having to upgrade Umbraco to a version that worked.

  • Kim Schurmann 15 posts 135 karma points c-trib
    Feb 17, 2017 @ 12:14
    Kim Schurmann
    0

    Hi there

    Two questions:

    1. Are there any security risk if the backoffice is not publicly available?
    2. Is it compatible with ClientDependency.Core.dll v. 1.5.0.1?

    Thanks in advance!

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 17, 2017 @ 12:51
    Sebastiaan Janssen
    0
    1. Yes
    2. Most likely
  • Kim Schurmann 15 posts 135 karma points c-trib
    Feb 17, 2017 @ 12:52
    Kim Schurmann
    0

    Thank you! :-)

  • Tom 2 posts 72 karma points
    Feb 17, 2017 @ 16:39
    Tom
    0

    We've recently inherited a v6.2 Umbraco site. The security alert lists this as a version that needs to be updated however the version of ClientDependency.Core that is running in the site is 1.8.4.

    I'm guessing that we don't actually need to do anything as the ClientDependency.Core we're upgrading to is 1.8.3.1?

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 20, 2017 @ 12:32
    Sebastiaan Janssen
    0

    1.8.4 is great, no further action needed.

    Umbraco 6.2.x shipped with 1.8.2.1 by default so in your case someone probably updated it to 1.8.4 at some point.

  • Tom 2 posts 72 karma points
    Feb 21, 2017 @ 09:33
    Tom
    0

    Thanks!

  • Kate 2 posts 72 karma points
    Feb 21, 2017 @ 10:29
    Kate
    0

    We are running Umbraco 6.2.6 and after updating the clientdependency package to 1.8.3.1 it has made a few changes to the web.config. Should all the changes to this file be reverted?

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 21, 2017 @ 10:41
    Sebastiaan Janssen
    0

    @Kate Maybe :-)

    What has changed?

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 21, 2017 @ 10:42
    Sebastiaan Janssen
    0

    @Kate Ah, think you have the same as Andrew Lansdowne here: https://our.umbraco.org/forum/using-umbraco-and-getting-started/83994-reserverd#comment-266372

    So yes, those changes can be reverted.

  • Andrew Lansdowne 39 posts 120 karma points
    Feb 21, 2017 @ 10:42
    Andrew Lansdowne
    0

    Yes!

  • Kate 2 posts 72 karma points
    Feb 21, 2017 @ 10:49
    Kate
    0

    Thank you.

  • MatsStam 50 posts 195 karma points
    Feb 23, 2017 @ 10:08
    MatsStam
    0

    Not so much a question, but for other peoples info:

    After I upgraded to the newest clientdependency version (1.9.2.0) it failed to properly handle a JS file missing a semicolon. That was on an Umbraco 7.2.1 site.

    In my specific case it was the MultiUrlPicker.js that lacked a semicolon after the 'use strict' line (line 1 in the file). That broke stuff, so the login page into umbraco backoffice stopped working on my site :)

    So, just an FYI if anyone else has some problems with the newest version av CliendDependencyHandler :)

    /Mats

  • Jørgen Bakke Eriksen 44 posts 94 karma points
    Feb 23, 2017 @ 14:34
    Jørgen Bakke Eriksen
    0

    Updating ClientDependency for many sites

    If you are like us, both a hosting and a web site developing company you may have both a version control and one or more production servers with several Umbraco sites.

    Like Sebastiann points out in a comment further below the ideal approach would be to update version control, then publish the site to the production server.

    With tens, maybe hundreds of sites in both version control and on one or more production servers this may not be the most convenient approach of updating ClientDependency.Core.dll.

    We run on Windows based systems so I have managed to semi-automate this with the help of Team Foundation Server (TFS) command line commands and Powershell scripts.

    My approach is:

    1. Update ClientDependency.Core.dll in all bin folders on the production server with new version
    2. Delete all files in App_Data\Temp\ClientDependency
    3. Update all bin folders in version control with new version

    Update production server

    Windows Powershell convenience scripts for:

    1. replacing all ClientDependency dll's older than 1.8.3.1 in all bin folders
    2. deleting all files in ClientDependency folders

    under c:\inetpub\sites (adjust for your source folder)

    Disclaimer: use at own risk - check what will be targeted first.

    #Print version of ClientDependency
    gci c:\inetpub\sites -rec -filter bin | where {$_.psiscontainer} | gci | where {$_.Fullname -match "ClientDependency.Core.dll"} | foreach-object { Write-host $_.Fullname $_.VersionInfo.ProductVersion}
    
    #Replace version < 1.8.3.1 with new version
    gci c:\inetpub\sites -rec -filter bin | where {$_.psiscontainer} | gci | where {$_.Fullname -match "ClientDependency.Core.dll"} | where {[version]$_.VersionInfo.ProductVersion -lt [version]"1.8.3.1" } | 
    foreach-object { 
        $target = $_.DirectoryName
        #Write-host $target
        Copy-Item C:\Users\Administrator\Downloads\ClientDependency.Core.1.8.3.1-net40\ClientDependency.Core.dll $target
        #Write-host $_.Fullname $_.VersionInfo.ProductVersion $_.DirectoryName
    }
    
    #Print all files in ClientDependency folders
    gci c:\inetpub\sites -rec -filter ClientDependency | where {$_.psiscontainer} | gci
    
    #Remove all files in ClientDependency folders
    gci c:\inetpub\sites -rec -filter ClientDependency | where {$_.psiscontainer} | 
    foreach-object { 
        #Copy-Item C:\Users\Administrator\Downloads\ClientDependency.Core.1.8.3.1-net40\ClientDependency.Core.dll $_.DirectoryName
        #Write-host $_.Fullname
        $path = $_.Fullname + "\*"
        #Write-host $path
        Remove-Item $path
    }
    

    Update Version Control

    Steps:

    1. Get fresh version of ClientDependency.Core.dll for allsolutions/projects
    2. Checkout for edit
    3. Replace ClientDependency.Core.dll with new version Check in new version of
    4. ClientDependency.Core.dll for all solutions/projects

    First start Developer Command Prompt for VS20XX:

    • Windows button
    • Type "dev"
    • The Developer Command Prompt should appear

    The change directory to your working folder that your version control files are mapped to

    • cd c:\Work

    1. Get fresh version

    tf get ClientDependency.Core.dll -recursive

    2. Check out for edit

    tf checkout ClientDependency.Core.dll /recursive

    3. Replace ClientDependency.Core.dll with new version

    Run the Powershell script above but this time on your dev server where you have checked out from version control

    4. Check in new version of ClientDependency.Core.dll

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 23, 2017 @ 14:37
    Sebastiaan Janssen
    0

    Please note: if you're using NuGet then these updated files WILL be overwritten with vulnerable versions again, so only use the script above if you are:

    1. Not using NuGet
    2. First updating all the NuGet packages for all of these sites before using this script
  • Jørgen Bakke Eriksen 44 posts 94 karma points
    Feb 23, 2017 @ 14:48
    Jørgen Bakke Eriksen
    0

    I made this script for replacing the ClientDependency files on the production server.

    Note that one also have to replace the files in source control, otherwise the production server will be overwritten at next publich with old version if the bin folder is included in the version control project.

    We are using Team Foundation Server (TFS). I have just started working on this. If anyone has any input on how to script this (check out ONLY ClientDepency.Core.dll for solutions/projects containing this file, replace, check in) please advice.

    I will post a script if I manage to work out a solution for this.

  • Sebastiaan Janssen 4890 posts 14567 karma points MVP admin hq
    Feb 23, 2017 @ 15:47
    Sebastiaan Janssen
    0

    Ah yes, this is a good point. If you've updated all your sites by only dropping in the new dll then at some point in the future if you deploy to that site from source control again, you may overwrite it with an older version. Always make sure you update both your "deployment source" and the live site (ideally you would deploy from source control to live, like you "normally" would).

  • Jørgen Bakke Eriksen 44 posts 94 karma points
    Feb 24, 2017 @ 10:08
    Jørgen Bakke Eriksen
    0

    Sebastiann, that is true, but if you have servers like us with tens, maybe hundreds of self hosted sites on one or several servers publishing a lot of sites from your IDE may not be the most convenient way of updating the websites.

    I have managed to update all files in version control now with the help of the above script. I have also updated the orignial post to reflect my approach and include steps and commands for updating Team Foundation Server version control.

  • Carsten Nørregaard Panek 29 posts 119 karma points
    Mar 06, 2017 @ 07:06
    Carsten Nørregaard Panek
    0

    We have a customer running Umbraco 4.9.0 and after the update of ClientDependency pages are marked with a star in the backend, even after it has just been published.

    Is that in any way related and now can it be fixed?

  • Carsten Nørregaard Panek 29 posts 119 karma points
    Mar 06, 2017 @ 07:25
    Carsten Nørregaard Panek
    0

    I found a fix here, so the problem is resolved:

    http://issues.umbraco.org/issue/U4-387

Please Sign in or register to post replies

Write your reply to:

Draft