IBuySpy Portal and Portal Starter Kit Security Issue #2


Yesterday we became aware of a security vulnerability in two of our sample applications: the IBuySpy Portal and the Portal Starter Kit. We have temporarily removed the IBuySpy Portal sample download and are actively working on an update. An updated Portal Starer Kit sample (version 1.0b) is now available which fixes the problem for that sample.
This email provides the steps to immediately fix existing sites and mitigate the potential for a malicious attack.
Who is vulnerable?
-- Any version of the VB.NET IBuySpy Portal sample configured to use html forms authentication.
-- Any version of the VB.NET Portal Starter Kit sample configured to use html forms authentication
-- Older pre-ASP.NET V1 versions of the C# IBuySpy Portal sample (specifically for ASP.NET beta1 and beta2) configured to use html forms authentication.
This vulnerability does NOT effect:
-- The VB.NET version of the IBuySpy Portal sample configured to use Windows Authentication
-- The VB.NET version of the Portal Starter Kit sample configured to use Windows Authentication
-- The C# version of the IBuySpy Portal sample released for ASP.NET V1
-- The C# version of the Portal Starter Kit sample
-- The IBuySpy Store sample
-- The Community Starter Kit sample
-- The TimeTracker Starter Kit sample
-- The Report Starter Kit sample
-- The Store Starter Kit sample
Note that this problem is not an ASP.NET product vulnerability or a bug in the ASP.NET Forms Authentication feature. Rather it is a result of a bug in how the forms authentication feature was used in the VB.NET language versions of the IBuySpy Portal and Portal Starter Kit sample applications.
What is the vulnerability?
A malicious user can login as a portal sample administrator and exploit the site by:
-- Altering text and content on the site
-- Creating and Deleting portal users used with the sample's forms authentication system
-- Changing portal user passwords used with the sample's forms authentication system
-- Retrieving user IDs and passwords used with the sample's forms authentication system
The vulnerability specifically *does not* enable the following actions:
-- A hacker *cannot* take over the server (e.g. it does not allow hacker code to be executed on the server)
-- A hacker *cannot* access or compromise Windows usernames or passwords
-- A hacker *cannot* use the vulnerability to initiate a SQL injection attack
How to manually fix the vulnerability?
An updated version of the VB.NET Portal Starter Kit sample (version 1.0b) is now available for download. An updated version of the VB.NET IBuySpy Portal will be posted shortly. If you have an existing installation of the samples, you can immediately fix the problem by performing the following steps:
To fix the SDK VB.NET versions of IBuySpy Portal and the Portal Starter Kit:
1) Open up the admin\Register.aspx file with a text editor
2) Replace the following line of code in the RegisterBtn_Click handler:

If accountSystem.AddUser(Name.Text, Email.Text, Password.Text) Then
with:
If (accountSystem.AddUser(Name.Text, Email.Text, Password.Text) > -1) Then

3) Save the file
4) Log into your Portal site
5) Change your admin password
6) Optional: Instruct registered portal users to change their passwords
To fix the Visual Studio.NET VB.NET versions of IBuySpy Portal and the Portal Starter Kit:
1) Open up the Visual Studio Project found in the directory in which the application was installed.
2) Open the admin\Register.aspx page
3) Switch to the Code Behind view for the page
4) Replace the following line of code in the RegisterBtn_Click handler

If accountSystem.AddUser(Name.Text, Email.Text, Password.Text) Then
with:
If (accountSystem.AddUser(Name.Text, Email.Text, Password.Text) > -1) Then

5) Save the file
6) Rebuild the application (Ctrl-Shift-B)
7) Log into your Portal site
8) Change your admin password
9) Optional: Instruct registered portal users to change their passwords
To fix C# beta versions of the IBuySpy Portal please upgrade to the latest version of the IBuySpy portal.
We sincerely apologize for the inconvenience that this has caused,
- Scott
0
scottgu
6/7/2003 4:27:46 PM
asp.net.portal-starter-kit 2189 articles. 0 followers. Follow

6 Replies
1362 Views

Similar Articles

[PageSpeed] 41

Scott - I hope you don't mind me adding to this - and thanks for your comprehensive clariifcation of what is and is not possible with this

Every portal install has the 'guest', 'guest' admin user installed by default - it should be a matter of course for any installation to immediately enter the admin system and remove or downgrade this user and create a specific 'unique' admin user account or accounts
There is healthy list of BugFixes available at Steve Smiths ASPSmith Site
____________________________________________________________
Q: BUG FIX: RequiredFieldValidator in EditAnnouncements.aspx fails if Description contains a Newline Character

Q: BUG FIX: Cannot Logout and Log Back In

Q: BUG FIX: Using Caching Shows The Same Module In All Positions

Q: BUG FIX: Any Registered User Can Act As Admin

Q: BUG FIX: Can Register Multiple Users with the same Email Address

Q: BUG FIX: Registration failure is not detected when email address is not unique

Q: BUG FIX: ViewDocument.aspx page returning "FileName" is an invalid column. Fixed in RTM VSCS

Q: BUG FIX: Deleting ContentType, ContentSize in Documents table by editing other fields Tested on RTM VSCS

Q: BUG FIX: Security bug in IBS B2

Q: BUG FIX: In the B2 version of the portal, any user can download documents from the Documents module regardless of if they can see that module or tab. Tested on RTM VSCS 1 Dependancy In-Line

Q: BUG FIX: Why don't my DesktopModuleTitle properties get set when I set them in an event handler?

Q: BUG FIX: Links module bug: BC30390: 'ASPNetPortal.Links.linkImage' is Private, and not accessible in this context.

Q: BUG FIX: Documents Module Downloads Display "ViewDocument.aspx" as filename for all files uploaded to database.Confirmed Exists in v1.0 of Portal

Q: BUG FIX: When I deploy to a root web, how do I get my links to work correctly (Request.ApplicationPath doesn't work)?

Q: BUG FIX: PortalSettings loaded twice per request!

____________________________________________________________
You can view all of these and download the code fixes necessary @ http://aspsmith.com/DesktopDefault.aspx?tabindex=2&tabid=32
PS It is great to see that the ASP.NET team are acting on this and still keeping an eye on all of us in the forum :-)
DavidM
Various IBS Addons available at http://www.snowcovered.com

Lead Developer [vb & c#] - MCAD
0
davidgmiles
6/7/2003 4:59:22 PM
When is the fixed version expected?
0
sg48asp
6/12/2003 1:28:29 PM
this did not fix my portal - i used


If Me.GetSingleUser(email).Read Then
Return -1
End If

as the very first call in the AddUser function in security.vb
why did this not work for me? here is my sproc text - is there a different sproc now???

CREATE Procedure AddUser
(
@Name nvarchar(50),
@Email nvarchar(100),
@Password nvarchar(20),
@UserID int OUTPUT
)
AS
INSERT INTO Users
(
Name,
Email,
Password
)
VALUES
(
@Name,
@Email,
@Password
)
SELECT
@UserID = @@Identity
GO
0
phishstick40
6/12/2003 3:24:30 PM
Do you have an expected release date for the IBuySpy Portal Application (SDK) VB edition? 

I really need to get a copy as soon as possible.
0
jdkoehler
6/18/2003 2:10:41 PM
Scott, David,

(Don't take it wrong. IBS Portal is such a unique tool.)
Excuse that naive question but...
Why aren't those bugs fixed in the new version?
Maybe some of 'em are?
According to Rob Howard:
"Updates:
1. Fix security issue in VB versions - more details: view post 240799
2. Store passwords encrypted in the database
3. Updates to files to perform password encryption"
What is the process of creating Portal.msi or exe?
Can a group of programmers help you do this (just bugs not module enhancements)?
DNN skins Forum
Tressleworks modules
DNN & webhosting
IEWCtrls
0
bill2clone
6/18/2003 4:06:13 PM
Hi,

can i ask what was wrong with the code in the first place so we can avoid it in our programming?
Thank you
0
daemon74
10/14/2003 6:03:04 PM
Reply:

Similar Artilces:

IBuySpy Portal and Portal Starter Kit Security Issue
Yesterday we became aware of a security vulnerability in two of our sample applications: the IBuySpy Portal and the Portal Starter Kit. We have temporarily removed the IBuySpy Portal sample download and are actively working on an update. An updated Portal Starer Kit sample (version 1.0b) is now available which fixes the problem for that sample. This email provides the steps to immediately fix existing sites and mitigate the potential for a malicious attack. Who is vulnerable? -- Any version of the VB.NET IBuySpy Portal sample configured to use html forms authentication. -- A...

IBuySpy Portal vs. Portal Starter Kit
I am new to portals and relatively new to ASP.NET and I would appreciate some clarification about IBS and the Portal Starter Kit. I have read existing postings and come away with the impression that the Portal Starter Kit is a more updated version of IBS, which is not being further developed. But then I notice a lot of developer activity on the forums for both IBS and Portal Starter Kit and Microsoft features both prominently and independently on the ASP.NET site. I have been leaning toward IBS because I have the Wrox book Building an ASP.NET Intranet to guide my initial work in add...

When I deleted PortalCfg.xsd,the Portal Starter Kit can still work normally.Then What is the use of PortalCfg.xsd in Portal Starter Kit?
Thanks! The purpose of PortalCfg.xsd is to make the layout and validate the PortalCfg.xml! The struct of PortalCfg.xml is based on PortalCfg.xsdregards João Martins...

use portal starter kit with community starter kit
I am using the portalvbsdk and community starterkit but both have different user login database, is it possible to connect both starter kits with only one user login panel? Sorry, I am very new with ASP.NET I don't think so. The permissions in portal are different than permissions in community. If a person only logs in one and not the other, the permission settings will always be wrong for the one which has no login. ...

I Buy Spy Portal vs Portal Starter Kit
There seems to be lots of confusion between the IBS Portal and the Portal Starter Kit. Lots of people publish quastions relating to the IBS here, and lots of people answer to questions about the Portal Starter Kit as if it was the IBS. It might be a good idea if a few people that are well familiar with both versions post some info as to the differences. This will help many not only with their confusion but also chose which one to use, based on these differences. Thanks When I started this thread I was sure it will be flooded with opinions and comparisons between IBS Portal and Portal St...

Portal Starter Kit #2
Hi guys, I just downloaded the portal starter kit. I am newbie to .net programming therefore this is really tough yet impressive application. Can someone tell me if there is any site that has a step by step tutorial for this application? The whitepaper dont explain much. it would be really nice if someoene posted step by step tutorial so we can understand this much better. Thanks Manny Open every page step by step and read the code. thats funny...join the club...

Portal Starter Kit / .NET 2.0 Version / Web Client Software Factory Version
I have started to refactor the initial starter kit. The database schema is still the same for compatibility reasons. http://www.codeplex.com/ASPNETPortal Features Dynamic Portal Infrastructure 10 basic portal modules for common types of content 2 extra portal modules: RSS Feed and Wiki A "pluggable" framework that is simple to extend with custom portal modules Online administration of portal layout, content and security XML based definition of portal layout Database based definition of portal layout Roles-based security for viewing content, editing content, ...

Differences between the Club Starter Kit, Club Starter Kit 2.0, and Extended Club Starter Kit
I'm a little confused as the the differences between these 3 starter kits, can someone point the differences out to me?Victor Corey I picked the first one, because I thought that it would be the easiest and least complicated to understand and work with.  I have the same question.  You posted this some time ago, I guess nobody knows.  I am only posting this so it will show up again, and maybe someone will address it.  Thanks. I don't know about the extended, but I worked with the Club Site Starter Kit for several days and got stuck when needing to actually get ...

Portal Starter Kit Security Problem
I have defined four levels of users, but the portal will not allow the appropriate ones Edit Access to the User Control under a particular tab. Everything looks peachy in the PortalCfg.xml file, so I'm mystified why it won't work. This is very, very difficult to troubleshoot given the fact that everything is loaded dynamically from the PortalCfg.xml file in the DesktopDefault.aspx page! Any hints, tips, tricks or other info is greatly appreciated. Thanks, Darin It might be an obvious answer... Have you selected in each module you want the roles that can edit?Do you know the tr...

Database issue while installing Portal Starter Kit.
I have MSDE running on my local work-station under the machine name (and not under 'localhost'). I am trying to install the ASP.NET Portal Starter Kit (to be host under IIS on my machine). When it reaches the step for database, I choose 'local' and then it comes with the dialog box of 'Test Connection' with 'localhost' written in the drop-down. This 'Test Connection' fails and as the drop down is non-editable, I even cannot enter my machine name onto it. It exits the complete setup there on. I next tried 'remote' database as installation option, but because I do not have Query Analyz...

Application Security & Portal Starter Kit
The GetSingleContact function in the Components\Contact.vb folder of Portal Starter Kit, returns a DataReader with data from the GetSingleContact stored procedure. I have read that it is good security practice to place any opening/execution of connections in a TRY block, and closing of connections in a FINALLY block. However due to a DataReader named "result" being returned, the connection must remain open as long as the DataReader is open? ("Dim result As SqlDataReader = myCommand.ExecuteReader(CommandBehavior.CloseConnection)") Surely this poses a security conce...

How to do this in Portal Starter Kit
Hi, I designed a website (let's call it WebSiteA) using the Portal Starter Kit, one of the tabs is only visible to users that are logged in. Within this tab, I had a quick link or a button, when the user click on it, another website (WebSiteB) will be launched. That is no problem. The problem is if the user did not log in WebSiteA, he/she should not be allowed to view WebSiteB if he/she tried to launch WebSiteB directly from the web browser. How to implement this? I want to use Cookies, but not sure if this is the right solution. Any help is appreciated! cookies could work or check th...

Portal starter Kit
I'm getting ready to use the Portal starter Kit to for a large school web site. Has anybody had any problems with the starter kits and if so what where they I think they are all great solutions! I personally love the DotNetNuke portal and feel it is the most superior solution out there for several reasons: 1) there is a team of 30 programmers constantly developing future versions 2) there is a great community forum here (dotnetnuke forum) for help/support/questions 3) there are over 500 add-on modules available for almost any need - some are free and some are for money 4) ope...

Portal Starter Kit
I'm trying to download the portal starter kit, but I keep getting an error message from download.microsoft.com. Does anyone have the installer that I can download? Thanks Did you ever get it to download??No Animals were harmed in the making of the Application Hammer12...

Web resources about - IBuySpy Portal and Portal Starter Kit Security Issue #2 - asp.net.portal-starter-kit

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Security (finance) - Wikipedia, the free encyclopedia
equity securities, e.g., common stocks ; and, The company or other entity issuing the security is called the issuer . A country's regulatory ...

Poll finds Tony Abbott's assumed security strength a misconception
Tony Abbott's principal perceived strength over Malcolm Turnbull – his uncompromising approach to national security – is an illusion, ...

Lenovo fixes two security vulnerabilities in its preloaded Windows tools
... and Support for ThinkPad and ThinkCentre drivers, software and BIOS updates", and "helps maximize your system performance and minimize security ...

Security flaw can expose your real IP address when using a VPN
... activity to enhance privacy protection. However, a discovery has revealed that VPN services aren’t as secure as you’d think, as a huge security ...

No credible Thanksgiving threat, but more security - Videos - CBS News
It may be Thanksgiving, but this is no holiday for police across America. Officers are on high alert after this month’s terror attacks in Paris. ...

This crowdfunded router updates its own security
It's really, really, really hard to make a router sound exciting, but the folks behind the Turris Omnia are betting the device's focus on keeping ...

Health Care Industry Plans Tech, Data Security Investments
Survey participants cited three key areas of capital spending for 2016: technology, existing facilities and data security.

Resources last updated: 11/28/2015 2:14:00 AM