Will v2 work on a 4.52 site using legacy xslt schema?
I would like to be able to edit the web.config file inside of Umbraco, so I hope to be able to just uninstall the nibble version from the site and install 2.0. Please let me know if this will work or if the package is dependent upon the new schema.
The site was originally a v4 site that we upgraded to 4.52, but we have not updated the schema.
I like being able to quicky see config settings on a remote server. However there is a security risk involving the web.config.
If someone is able to get into the cms, they can install the config-tree package (if it is not already installed) which will give them access to the web.config.
From here they can do all types off stuff, including (but not limited to): - Get the database connection string - Enable trace and debugging which will give access to server variables
From there they can mount any number of attacks on the server.
If someone was determined enough, they'd be writing their own package to abuse/exploit everything. It doesn't even need a package, code could be added at runtime inside a script block on a MasterPage template. My point is, the weakness isn't the Config Tree package.
Obviously this is an issue. I'm not sure what the solution is, but I'd like to know too! :-)
'...If someone is able to get into the cms, they can install the config-tree package...'
If someone can access the CMS, then there's the security flaw (easy passwords, anyone?) - as Lee says, once they're that far then the package is merely incidental.
I'm not advocating storing of senstive data in a more accessible place if a less accessible place is available - for me all sensitive data should be reliably encrypted anyway, that's a different matter - but simply noting a breakdown in the logic.
Will v2 work on a 4.52 site using legacy xslt schema?
I would like to be able to edit the web.config file inside of Umbraco, so I hope to be able to just uninstall the nibble version from the site and install 2.0. Please let me know if this will work or if the package is dependent upon the new schema.
The site was originally a v4 site that we upgraded to 4.52, but we have not updated the schema.
Thanks!
Hi Craig,
Yes, v2.0 will work with Umbraco v4.5.2+.
If you do run into any problems, let me know.
Cheers, Lee.
I like being able to quicky see config settings on a remote server. However there is a security risk involving the web.config.
If someone is able to get into the cms, they can install the config-tree package (if it is not already installed) which will give them access to the web.config.
From here they can do all types off stuff, including (but not limited to):
- Get the database connection string
- Enable trace and debugging which will give access to server variables
From there they can mount any number of attacks on the server.
Is there any way that we can mitigate this?
Hi Anthony,
If someone was determined enough, they'd be writing their own package to abuse/exploit everything. It doesn't even need a package, code could be added at runtime inside a script block on a MasterPage template. My point is, the weakness isn't the Config Tree package.
Obviously this is an issue. I'm not sure what the solution is, but I'd like to know too! :-)
Cheers, Lee.
If someone can access the CMS, then there's the security flaw (easy passwords, anyone?) - as Lee says, once they're that far then the package is merely incidental.
I'm not advocating storing of senstive data in a more accessible place if a less accessible place is available - for me all sensitive data should be reliably encrypted anyway, that's a different matter - but simply noting a breakdown in the logic.
Ah yes... script blocks in masterpages would probably be very useful to an attacker. Not to mention razor.
I guess if you are able to access the templates then you can get out of the server as much as you would have got from the web.config.
Makes me cringe at some of the passwords I know some Umbraco editors are using.
I guess this comes down to making sure you know who has credentials to access the settings and developer section.
is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.