Security Issue and Patches, Tool Updates, and Some Upcoming Topics

Trevor Fayas / April 02, 2019
Security Issue and Patches, Tool Updates, and Some Upcoming Topics

Here are a couple of updates from Kentico MVP, Trevor Fayas: 

Security Issue and Patches

Kentico recently was made aware of a security issue that was found, revolving around Staging Module.  A bug in one of the Microsoft libraries that the staging module uses for authenticating requests made it to where a very carefully structured request to the Staging module page could bypass security and either read or write certain items.  This security hole affects all sites that have the Staging authentication mode to Username and Password, even if you don't have staging enabled.  If staging not used and is disabled, you still need to change the validation method in order to not be affected.

Kentico took action and already has a security patch for Kentico 12 (12.0.15), so if you have Kentico 12, please make sure to hotfix right away.  For older versions of Kentico, a work around was given, using the x.509 certificate authentication instead of the Username/Password.  However, this method is not easy to implement.

What is x.509 Authentication method for Staging?

x.509 is a form of encryption authentication, similar to SSL Certificates.  The processes goes that you first purchase a Client Certificate from an agency (most agencies that provide SSL certs will also allow you to purchase these).  Then from this cert you need to generate a Server and Client Certifications (Using a tool like OpenSSL, which is a command line program), and then install these certificates on both the source and target servers.  How you go from a Client cert to the Server key and Client keys...that part i haven't figured out myself yet.

When these Server and Client Certificates are installed, you can retrieve their identification Key (a smaller random set of numbers and letters).  This is what you pass to Kentico in the Staging Settings.

This way, when Kentico sends data to the staging module, it uses those ID keys to ask the operating system for the full encryption certificates, and uses them to encrypt the data, which the receiving server can then decrypt.

We Asked, Kentico Answered

Since Kentico's bug policy was primarily to only implement fixes on the current version, and a work around was available through the x.509 Certificate. Kenitco initially had no plan on implementing a bug fix patch for older supported versions of Kentico 10 and 11.  However, after explaining the requirement of time, cost, and effort to implement x.509, they listened and went back to the developer team, and changed their course.  There will be a hotfix within the next week or two for version 10 and 11. I recommend you install as soon as it comes out so you can resume using Username and Password method for Staging module saftely.

Tool Updates

Relationships Extended is FINALLY Live!!

You know that awesome tool that I've been talking about for like, 6 months?  Well there's no more waiting, it's finally available on NuGet.  We've been beta testing it with a couple of our clients, which uncovered some bugs and missing features.  I also ran into some upgrade difficulties as the tool was developed for Kentico 10 initially, and leveraged heavily the UniSelector which changed quite dramatically in version 11 and 12, requiring me to do some reworking.  Publishing the tool to a NuGet package was also tedious because there was more than just the Module that needed to be exported, related objects such as Page Templates and Form Controls also needed to be included.

The tool itself, if you are unaware, is a suite of UI Templates, Form Controls, Macros and Helper methods to create and manage relationships of all types:

  1. Node to Node (Page Relationships) with Ordering
  2. Node to Category (Similar to Document Category, but on the Node)
  3. Node to Object (With Ordering)
  4. Object to Object/Category (With Ordering)

It includes an updated form of the Advanced Category Selector and Advanced Many to Many Selector, as well as an updated Related Pages that carry similar configuration setups, and full documentation on how to setup any of these types of relationships and enable Staging with them.

Please note that you want to install at least version X.0.9 and above, the initial upload of X.0.8 didn't have the webparts exported that the templates used.
Please use the form below to request a free copy of this RelationshipsExtended module. 

Bootstrap Layout Tool - Bootstrap 4 Support

I've also released an update to the Bootstrap Layout tool to fix a bug and adjust the output to work properly with Bootstrap 4 (Kentico versions 10+).  This will be the last update to the Bootstrap Layout tool since Version 12 will be the end of Portal method.  It is recommended, because of these bug fixes with the layout, that you visit the resources page on my site and install the latest (marketplace has been too busy to publish the updates yet).
Please use the form below to request a free copy of this Bootstrap Layout Tool.

CSV Import, Advanced Category Selector, Advanced Many to Many Selector Update

When I first created these 3 tools, I wasn't aware of a way to dynamically write data to custom module classes. I wrote instructions on modifying the controls to account for your custom modules, but this was honestly a pain. It required code modifications every time you wanted to use it for a new scenario.  Skip ahead a couple years and I finally discover how to write to any class (even custom ones) without hard coding it in.  So the update to these tools contains that code. No more code modifications.  Now it will just "work"!

An additional adjustment I made is to the CSV Import module. I compiled the two ascx page's code into the actual class library, so this will work on both Web projects and Web Sites, and pushed it to NuGet for easier installation.

Please use the form below to request a free copy of this of CSV Import module. 

Please use the following form to request a copy of the RelationshipsExtended module, Bootstrap Layout Tool, and CSV Import module:

Trevor Fayas
About the Author

Trevor Fayas
Senior Software Engineer I

Trevor Fayas is a Senior Software Engineer I at Heartland Business Systems and a Kentico MVP. He is ranked in the top 10 Kentico Developer Network Q&A Contributors, and has published multiple tools on the Kentico Marketplace.  Trevor’s passion is to help build and equip Kentico users and developers with the tools to really take their site to the next level.

Blog post currently doesn't have any comments.