Anatomy of a Sitecore bug (and some things that all of us developers must learn) 04 februar 2017 Allan C#, Sitecore Recently Sitecore published the following critical report https://kb.sitecore.net/articles/039942 including a fix. Sitecore has rightly marked it as critical as the result of the bug actually is that all contents of the website can be downloaded by simply specifying a custom crafted url. I will not post the format of the url but will only describe why some of the checks that where done in the code failed to ensure that this could not happen. In order to make this exploit work 4 problems exists and used together they result in this critical issue. Problem 1 The first problem (which is the usual case with many bugs of the same kind) is that url’s are not treated with proper respect. Whenever you ask for System.Web.HttpContext.Current.RawUrl Then you get exactly what you ask for. You get the url from the browser including everything in it (except for any #-element prepended to the url, which is a browser only element). This usually is not a problem but when you consider that an url can contain the following characters []~:// in the url part you might want to reconsider how you use the raw url. Solution The solution is to never trust the input you get in an URL-request and to further help you, you should never parse url strings on your own but instead you should rely on the .NET framework to retrieve the various parts of the url depending on what you need to do. This is no garantee to be flawless but it will definitely increase your chances that someone else has handled that edge case scenario, that you forgot to think of. Problem 2 The second problem is a more global issue, but it falls along the same line as problem 1. You should never make assumptions about what your method input is supposed to be like and then just continue if something is not as expected. This means that if you have a method that expects an input string of “somevalue/someothervalue”, and you want to trim the part of “somevalue” and remove that from the beginning of the string. Then you need to consider how to do it. Do you just call inputstring.Replace(“somevalue”, “”) or inputstring.SubString(inputstring.IndexOf(“somevalue”)) or inputstring.Split(new string[] { "somevalue"}, StringSplitOptions.RemoveEmptyEntries)[0] or something completely different. No matter the path you choose you need to be aware of the sideeffects of the methods. What happens if the string is not at the beginning or it appears twice, then how will your logic react. So you need to make sure that your assumptions about your input is correct. Solution If you do not fully trust the input for you method you need to test it and make sure that all the assumptions that you have about your input is correct. In this case test your input to make sure it matches your assumptions, and then fail if your assumptions are not met or otherwise act accordingly. Problem 3 The third problem is related to making assumptions about the world around you based on only partial knowledge and then trying to create your own logic to ensure that your assumptions are correct. As an example if you have a method that takes an url-string as input, and you want to see if it is an external absolute url or relative url. Then first of all you need to watch out for problem number 2 and make sure that your assumptions about your input is correct. Secondly you need to find out which logic you which to use to figure out what you want to know. One way to test if the url is external could be by testing if it contains the string ://, this would work for http://example.com and for /samplepage.html providing the correct result. But what happens if the url is /samplepage.html?://, then your rule would provide the wrong answer. So that means that if you want a valid result at all times you need to introduce more rules. Solution The solution in this case is again to rely on pre-existing methods as much as possible. If the .NET framework contains some logic that can help you out, then you should use it. In this case something simple as new Uri(path, UriKind.RelativeOrAbsolute).IsAbsoluteUri could be used. That way if a bug is found in the framework there is a great chance the it will be fixed in the next framework update. Problem 4 The fourth problem is related to making generic methods too generic and thereby exposing too much. In the case of of this Sitecore bug, the problem is well-known as directory-traversal. It simply allows you to use a generic method to navigate out scope and for websites out of scope means accessing files that you are not supposed to access. Solution Be very careful when creating generic methods and ensure that even though they are generic, you need to enforce some limits on scope. The Fix Eventually what has been fixed in the Sitecore update is problem number 4, where scopes have been introduced to ensure that only a very specific set of files can be retrieved and thus limiting the bug. This in turn makes all the other problems irrelevant in this particular scenario as the solution to problem 4 is a final block and thus mitigates the errors introduced by the other problems. But this is a typical bug where several methods that are being misused in combination can result in a serious issue. Therefore you must always think about every component that you code, because if any of theses bugs had not existed there would not have been a problem and all parts of the code are relevant in a security perspective to act as expected.
Virtual Sitecore users and editorlicenses 27 juli 2011 Allan CMS, Sitecore As you may have read previously I just got Sitecore Xpress running as my new website. This was all fine and I have even configured it to use my own SSO solution (which I will discuss in another post), but suddenly I encountered a strange problem. I suddenly started experiencing issues when both my wife and I wanted to edit content at the same time. I had set up my login routine to use my SSO solution and then build a virtual user and login this virtual user to Sitecore and all was fine. I used the following snippet to login my virtual user Sitecore.Security.Accounts.User virtualUser = Sitecore.Security.Authentication.AuthenticationManager.BuildVirtualUser("sitecore\\" + user.Username, true); virtualUser.RuntimeSettings.IsAdministrator = user.IsAdministrator; Sitecore.Security.UserProfile profile = virtualUser.Profile; profile.FullName = user.Username; profile.IsAdministrator = virtualUser.RuntimeSettings.IsAdministrator; profile.Save(); Sitecore.Security.Authentication.AuthenticationManager.Login(virtualUser.Name); Response.Redirect("~/sitecore", true); where the user object is my user gained from SSO. But what we suddenly experienced was a continous loop from the login page to /sitecore back to the login page, which returned to /sitecore and so forth untill the browser eventually gave up. I started debugging and could see that my user was logged in correctly and was a Sitecore administrator, but still the redirect occurred. So I didn't know what was happening and it all seemed very strange. I tried to remove my SSO solution and used the regular Sitecore login page, and suddenly it became clear what the problem was. My Sitecore Xpress license is limited to only 1 Sitecore editor, so once I attempted to login another user (even just another browser), this user was just sent back to the login page. Here I just checked to see if the user was logged in (which he was) and then returned to /Sitecore, which then did a license verification to see if the content editor was accessible. So after having spent some hours trying to figure out what was going on, I then added the following lines to my login page if (!Sitecore.Web.Authentication.DomainAccessGuard.IsNewUserAllowed()) { Response.Redirect("/sitecore/shell/Applications/Login/Users/Users.aspx?su=/sitecore", true); } and suddenly everything made more sense. Now if my wife was logged on I was sent to a page where I could log her off and then afterwards login correctly. (Thanks to http://istern.dk/blog/2010/6/7/usersessions-in-sitecore-(logout-users-from-backend).aspx for showing me where to look in the Sitecore API for this information) So this is a small gotcha when working with Virtual users, since you go around the regular Sitecore login there are some things that you still need to test for, and that you need to verify on your own. So the lesson to be learned here, is that if your Sitecore login is not working, first check out your license restrictions before you do anything else. As a small curiosity this license check seemed to be easy to circumvent using a little bit of reflection and setting of private fields, but that would not be the ethical way to go, so instead I will appreciate my solution giving me the option to see why I cannot login and then logout my wife if she is no longer editing in Sitecore.
Running Sitecore 6 on a single database 26 juli 2011 Allan CMS, Sitecore This is a short and simple blog post describing the actions that I took to get Sitecore Xpress running on a single MS SQL database instead of 3 which is default when Sitecore 6 is installed. This was a requirement because my website is running at a webhost where you by default only can have one SQL database. I knew that this was possible since the datastructure of the three databases is the same with the only exception that in the Core database the required tables/procedures used for ASP.NET Profiles is added. I also knew that this would have some consequences for the functionality in Sitecore. The primary missing feature using this procedure is that the normal publishing logic is not supported and the site needs to use the Sitecore live mode. But for my personal site, this was definitely a feature that I could live without. I'm bound to find that more features are unavailable as I progress on my adventure, but so far I just need the basic editing functionality, and that is running smoothly now. But to get straight to the point I took the following steps. Downloaded and installed the Sitecore Xpress solution Then I simply deleted the master database and the webdatabase from the sql server just to clean up. As I said before the core database is a bit more special which is why I'm keeping that. Besides the core database also contains everything needed to run the Sitecore editor, which I also wanted. Then I modified the /app_config/connectionstrings.config file, where I deleted the connectionstrings pointing to the master and web database (just to ensure that no references where left behind) Then came the more tricky part. I had to modify the web.config file to remove all references to the two databases that I have deleted. Actually it wasn't that complicated and I only had to make these modifications <IDTable type="Sitecore.Data.$(database).$(database)IDTable, Sitecore.Kernel" singleInstance="true"> <param connectionStringName="master"/> <param desc="cacheSize">500KB</param> </IDTable> was changed to the following so the id table is stored in the core database instead of the master database <IDTable type="Sitecore.Data.$(database).$(database)IDTable, Sitecore.Kernel" singleInstance="true"> <param connectionStringName="core"/> <param desc="cacheSize">500KB</param> </IDTable> Then I simply deleted the following entire section (again just for cleanup) <!-- master --> <database id="master" singleInstance="true" type="Sitecore.Data.Database, Sitecore.Kernel"> <param desc="name">$(id)</param> <icon>People/16x16/cubes_blue.png</icon> <dataProviders hint="list:AddDataProvider"> <dataProvider ref="dataProviders/main" param1="$(id)"> <prefetch hint="raw:AddPrefetch"> <sc.include file="/App_Config/Prefetch/Common.config"/> <sc.include file="/App_Config/Prefetch/Master.config"/> </prefetch> </dataProvider> </dataProviders> <securityEnabled>true</securityEnabled> <proxiesEnabled>false</proxiesEnabled> <publishVirtualItems>true</publishVirtualItems> <proxyDataProvider ref="proxyDataProviders/main" param1="$(id)"/> <workflowProvider hint="defer" type="Sitecore.Workflows.Simple.WorkflowProvider, Sitecore.Kernel"> <param desc="database">$(id)</param> <param desc="history store" ref="workflowHistoryStores/main" param1="$(id)"/> </workflowProvider> <indexes hint="list:AddIndex"> <index path="indexes/index[@id='system']"/> </indexes> <archives hint="raw:AddArchive"> <archive name="archive"/> <archive name="recyclebin"/> </archives> <Engines.HistoryEngine.Storage> <obj type="Sitecore.Data.$(database).$(database)HistoryStorage, Sitecore.Kernel"> <param connectionStringName="$(id)"/> <EntryLifeTime>30.00:00:00</EntryLifeTime> </obj> </Engines.HistoryEngine.Storage> <Engines.HistoryEngine.SaveDotNetCallStack>false</Engines.HistoryEngine.SaveDotNetCallStack> <cacheSizes hint="setting"> <data>20MB</data> <items>10MB</items> <paths>500KB</paths> <standardValues>500KB</standardValues> </cacheSizes> </database> <!-- web --> <!-- REMOVED FOR STARTER KIT <database id="web" singleInstance="true" type="Sitecore.Data.Database, Sitecore.Kernel"> <param desc="name">$(id)</param> <icon>Network/16x16/earth.png</icon> <securityEnabled>true</securityEnabled> <dataProviders hint="list:AddDataProvider"> <dataProvider ref="dataProviders/main" param1="$(id)"> <disableGroup>publishing</disableGroup> <prefetch hint="raw:AddPrefetch"> <sc.include file="/App_Config/Prefetch/Common.config" /> <sc.include file="/App_Config/Prefetch/Web.config" /> </prefetch> </dataProvider> </dataProviders> <proxiesEnabled>false</proxiesEnabled> <proxyDataProvider ref="proxyDataProviders/main" param1="$(id)" /> <archives hint="raw:AddArchive"> <archive name="archive" /> <archive name="recyclebin" /> </archives> <cacheSizes hint="setting"> <data>20MB</data> <items>10MB</items> <paths>500KB</paths> <standardValues>500KB</standardValues> </cacheSizes> </database> --> Then I changed the following reference (I haven't yet decided whether or not to use the search database for anything, so I'm not fully aware of the consequnces of this yet <master type="Sitecore.Search.Crawlers.DatabaseCrawler, Sitecore.Kernel"> <Database>master</Database> <Tags>master content</Tags> </master> to <master type="Sitecore.Search.Crawlers.DatabaseCrawler, Sitecore.Kernel"> <Database>core</Database> <Tags>master content</Tags> </master> Then I removed this agent since my master database is now missing <!-- Agent to process schedules embedded as items in a database --> <agent type="Sitecore.Tasks.DatabaseAgent" method="Run" interval="00:10:00"> <param desc="database">master</param> <param desc="schedule root">/sitecore/system/tasks/schedules</param> <LogActivity>true</LogActivity> </agent> I removed the publish agent (it was already disabled, but I just removed it to do some cleanup, while I was at it) <!-- Agent to publish database periodically --> <agent type="Sitecore.Tasks.PublishAgent" method="Run" interval="00:00:00"> <param desc="source database">master</param> <param desc="target database">web</param> <param desc="mode (full or incremental)">incremental</param> <param desc="languages">en, da</param> </agent> Then I changed the following setting <setting name="Publishing.AutoScheduleSmartPublish" value="true"/>to false (since publishing is not supported for this setup anyhow) And then finally I changed the most important section of it all. The <sites> section. I changed it from <sites> <site name="shell" virtualFolder="/sitecore/shell" physicalFolder="/sitecore/shell" rootPath="/sitecore/content" startItem="/home" language="en" database="core" domain="sitecore" loginPage="/sitecore/login" content="master" contentStartItem="/Home" enableWorkflow="true" xmlControlPage="/sitecore/shell/default.aspx" browserTitle="Sitecore" htmlCacheSize="2MB" registryCacheSize="3MB" viewStateCacheSize="200KB" xslCacheSize="5MB"/> <site name="login" virtualFolder="/sitecore/login" physicalFolder="/sitecore/login" database="core" domain="sitecore"/> <site name="testing" virtualFolder="/sitecore/testing" physicalFolder="/sitecore/testing" rootPath="/sitecore/content" database="master" domain="sitecore" enableWorkflow="true"/> <site name="admin" virtualFolder="/sitecore/admin" physicalFolder="/sitecore/admin" enableWorkflow="true" domain="sitecore" loginPage="/sitecore/admin/login.aspx"/> <site name="service" virtualFolder="/sitecore/service" physicalFolder="/sitecore/service"/> <site name="modules_shell" virtualFolder="/sitecore modules/shell" physicalFolder="/sitecore modules/shell" rootPath="/sitecore/content" startItem="/home" language="en" database="core" domain="sitecore" content="master" enableWorkflow="true"/> <site name="modules_website" virtualFolder="/sitecore modules/web" physicalFolder="/sitecore modules/web" rootPath="/sitecore/content" startItem="/home" language="en" database="web" domain="extranet" allowDebug="true" cacheHtml="true"/> <site name="website" virtualFolder="/" physicalFolder="/" rootPath="/sitecore/content" startItem="/home" database="web" domain="extranet" allowDebug="true" cacheHtml="true" htmlCacheSize="10MB" registryCacheSize="0" viewStateCacheSize="0" xslCacheSize="5MB" filteredItemsCacheSize="2MB" enablePreview="true" enableWebEdit="true" enableDebugger="true" disableClientData="false"/> <site name="scheduler" domain="sitecore"/> <site name="system" domain="sitecore"/> <site name="publisher" domain="sitecore" enableWorkflow="true"/> </sites>to the following, where the major differences just are related to modifying the setup of the various sites, so they read from the core database instead of their default database. Also the website-site has the filterItems set to true in order to simulate the publishing logic, so that I can have pages that are not published. Also the startitem for the website-site was also changed to /default instead /home, since /home is already in use in the core database to support the content editor <sites> <site name="shell" virtualFolder="/sitecore/shell" physicalFolder="/sitecore/shell" rootPath="/sitecore/content" startItem="/home" language="da" database="core" domain="sitecore" loginPage="/sitecore/login" content="core" contentStartItem="/default" enableWorkflow="false" xmlControlPage="/sitecore/shell/default.aspx" browserTitle="Sitecore" htmlCacheSize="2MB" registryCacheSize="3MB" viewStateCacheSize="200KB" xslCacheSize="5MB"/> <site name="login" virtualFolder="/sitecore/login" physicalFolder="/sitecore/login" database="core" domain="sitecore"/> <site name="testing" virtualFolder="/sitecore/testing" physicalFolder="/sitecore/testing" rootPath="/sitecore/content" database="core" domain="sitecore" enableWorkflow="true"/> <site name="admin" virtualFolder="/sitecore/admin" physicalFolder="/sitecore/admin" enableWorkflow="false" domain="sitecore" loginPage="/sitecore/login"/> <site name="service" virtualFolder="/sitecore/service" physicalFolder="/sitecore/service"/> <site name="modules_shell" virtualFolder="/sitecore modules/shell" physicalFolder="/sitecore modules/shell" rootPath="/sitecore/content" startItem="/home" language="en" database="core" domain="sitecore" content="master" enableWorkflow="true"/> <site name="modules_website" virtualFolder="/sitecore modules/web" physicalFolder="/sitecore modules/web" rootPath="/sitecore/content" startItem="/default" language="da" database="core" domain="extranet" filterItems="true" allowDebug="true" cacheHtml="true"/> <site name="website" virtualFolder="/" physicalFolder="/" rootPath="/sitecore/content" startItem="/default" database="core" domain="extranet" allowDebug="true" cacheHtml="true" content="core" contentStartItem="/default" htmlCacheSize="10MB" registryCacheSize="0" viewStateCacheSize="0" xslCacheSize="5MB" filteredItemsCacheSize="2MB" enablePreview="true" enableWebEdit="true" enableDebugger="true" disableClientData="false" filterItems="true"/> <site name="scheduler" domain="sitecore"/> <site name="system" domain="sitecore"/> <site name="publisher" domain="sitecore" enableWorkflow="true"/> </sites> As a final step I created a new "Home" node in the core database, that I called "Default" (which is referenced in the <sites> section), and then I was good to go and could build up my new site So as simple as that I now have my Sitecore solution running on just a single database. Rather then modifying the actual web.config I could have used the /app_config/include folder instead and create a modification configuration file, but that I guess is a task left up to the reader. As I progress and extend my solution I will try to keep you posted on my blog as to what my experiences are with this customized solution
Picking the right CMS 26 juli 2011 Allan CMS, Sitecore I have a personal website hosted on http://a-dahl.dk. This should just be a very simple easy maintab [More]