Forums (Obsolete)

Portal Engine Questions on portal engine and web parts.

Version 5.x > Portal Engine > Kentico CMS and UrlScan program

View modes:


Member	sezai.karatoz-sompojapan.com.tr - 9/23/2011 3:03:13 AM Kentico CMS and UrlScan program Hi, I installed KenticoCMS to a server. In this server UrlScan program is running. UrlScan is reporting Kentico CMS files for SQL injection. I see a lot of entry about Kentico CMS files in UrlScan logs. KenticoCMS portal's some parts is not working while UrlScan active. How can I do with this problem

Kentico Support

Kentico Support

kentico_jurajo - 9/25/2011 4:04:08 AM

RE:Kentico CMS and UrlScan program

Hi,

Could you please let us know where your program has found the SQL injections in Kentico? We are checking our code periodically against this and other kinds of attacks and we are not aware of any holes currently.

Also, I am not familiar with the UrlScan utility - maybe you can search their forums and help to see if there is any kind of setting or something similar to not to block other applications. Or, if you could describe the not working parts with more details maybe we can help you too.

Best regards,
Juraj Ondrus

Member

Member

sezai.karatoz-sompojapan.com.tr - 9/27/2011 7:06:05 AM

RE:Kentico CMS and UrlScan program

Hi, You can see urlscan logs below. These pages cannot be displayed because urlscan thinks these pages are harmful to site.

1) 2011-09-23 06:05:43 10.130.12.32 1 GET /KenticoCMS/CMSAdminControls/UI/UniSelector/SelectionDialog.aspx?SelectionMode=SingleTextBox&hidElem=webPartProperties_form_TransformationName_uniSelector_hiddenField&lblElem=webPartProperties_form_TransformationName_uniSelector_lblStatus&params=8fcc6fda-f8e8-4f45-86f0-bfb81c344eca&clientId=webPartProperties_form_TransformationName_uniSelector&localize=1&txtElem=webPartProperties_form_TransformationName_uniSelector_txtSingleSelect&hash=8f08a24dc9dbf957e959fd1c2419dca175d616bfc4ae27a19bad1d79df12c658 Rejected rule+'SQLInjection'+triggered query+string - select

2) 2011-09-23 06:05:45 10.130.12.32 1 GET /KenticoCMS/CMSSiteManager/Development/DocumentTypes/DocumentType_Edit_Transformation_Edit.aspx?name=cms.news.default&editonlycode=true&selectorid=webPartProperties_form_TransformationName_uniSelector Rejected rule+'SQLInjection'+triggered query+string - select

3) 2011-09-23 06:06:26 10.130.12.32 1 GET /KenticoCMS/CMSFormControls/Selectors/InsertImageOrMedia/Default.aspx?output=selectpath&email_hide=1&anchor_hide=1&attachments_hide=1&libraries_hide=1&web_hide=1&documentid=4&parentid=1&content_site=IntranetPortal&editor_clientid=webPartProperties_form_Path_txtPath&siteid=1&hash=8196284619d234f7e63e876bf7da267e6c1ca755e3f7e2ce2c86ffadadc5a407 Rejected rule+'SQLInjection'+triggered query+string - select

Kentico Support

Kentico Support

kentico_jurajo - 9/27/2011 7:39:24 AM

RE:Kentico CMS and UrlScan program

Hi,

The program is basically right. However those dialogs are available only in the user interface to authenticated users and are not available on the live site - except the third one - but this is up to you whether you will allow the insert image/media dialog on your live site together with the WYSIWYG editor (using UI personalization settings).

However, we are checking our code and query string parameters - have you tried to use some actual SQL injection? Sometimes it seems it is possible but in our code we are checking the inputs where it is possible to use SQL injection.

Moreover, I would like to recommend to always use latest version of Kentico CMS + latest hotfix applied to it.

Best regards,
Juraj Ondrus

Member

Member

sezai.karatoz-sompojapan.com.tr - 9/28/2011 3:30:14 AM

RE:Kentico CMS and UrlScan program

Hi,

I don't change any pair of CMS and I didn't try any harmful code to test SQL injection in the site. But while urlscan working, CMS is not working properly. My goal is to run these programs at the same time. Maybe our system administrators don't give us permission to stop urlscan. I need a solution which both of them are working simultaneously.

Best regards,

Kentico Support

Kentico Support

kentico_jurajo - 10/4/2011 3:11:17 AM

RE:Kentico CMS and UrlScan program

hi,

I have installed URLScan v3.1 on my end and just set it up to filter the URLs on the site level as described in that article - it seems to be working fine - the CMS and the URLScan too. Could you please point me to the location which is not working for you? Have you made any additional configuration changes to the UrlScan utility? If so, what are they?

Best regards,
Juraj Ondrus

Top