Skip to content

Instantly share code, notes, and snippets.

@sitefinitySDK

sitefinitySDK/Bluemockingbirdskeys.aspx

Last active August 19, 2020 07:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sitefinitySDK/ce7e7f672ba9ee63e6b502a3ed9cfdab to your computer and use it in GitHub Desktop.
Save sitefinitySDK/ce7e7f672ba9ee63e6b502a3ed9cfdab to your computer and use it in GitHub Desktop.
Download ZIP
used by support
Raw
Bluemockingbirdskeys.aspx
<%@ Page Language="C#" AutoEventWireup="true" %>
<%@ Import Namespace="Telerik.Sitefinity.Modules.Pages" %>
<%@ Import Namespace="Telerik.Sitefinity.Modules.Pages.Data" %>
<%@ Import Namespace="System.Configuration" %>
<%@ Import Namespace="System.Web.Configuration" %>
<%@ Import Namespace="System.Web.Security" %>
<%@ Import Namespace="System.Security.Cryptography" %>
<script runat="server">
protected void ApplyUpdates_Click(object sender, EventArgs e)
{
var buildNumber = this.GetSitefinityBuildNumber();
if (buildNumber >= 7300)
{
Response.Write("<p style=\"color: green\">You are secured. You are running on Sitefinity version 13.0 and there is no vulnerability in Telerik.Web.UI suite</p>");
return;
}
if (buildNumber >= 6400 && buildNumber < 7300)
{
ApplyWebConfigTransformation(KeysType.AboveTen);
return;
}
var firstTwoDigits = 0;
int.TryParse(buildNumber.ToString().Substring(0, 2), out firstTwoDigits);
if (firstTwoDigits >= 40 && buildNumber < 6400)
{
ApplyWebConfigTransformation(KeysType.AboveTen);
return;
}
if (buildNumber < 4000)
{
Response.Write("<p style=\"color: red\"> The version of Sitefinity that is ran by your site is an unsupported version. Refer to the written details for it in KB article: https://knowledgebase.progress.com/articles/Article/resolving-security-vulnerability-cve-2017-9248 </p>");
return;
}
else
{
Response .Write("<p style=\"color: red\">Sitefinity with build number: " + buildNumber.ToString() +" is not supported for this operation </p>");
}
}
private int GetSitefinityBuildNumber()
{
var number = 0;
try
{
var provider = PageManager.GetManager().Provider;
number = ((OpenAccessPageProvider)provider).CurrentSchemaVersionNumber;
}
catch (Exception ex)
{
Response.Write("<p style=\"color: red\">" + ex.ToString());
}
return number;
}
private void ApplyWebConfigTransformation(KeysType keyType)
{
Configuration configuration = WebConfigurationManager.OpenWebConfiguration("~");
var section = GetWebConfigSection(configuration);
if(keyType == null)
{
throw new ArgumentNullException("keyType");
}
switch(keyType)
{
case KeysType.AboveTen:
try
{
string configurationEncryptionKey = "Telerik.AsyncUpload.ConfigurationEncryptionKey";
string configurationHashKey = "Telerik.Upload.ConfigurationHashKey";
string dialogParamsKey = "Telerik.Web.UI.DialogParametersEncryptionKey";
if (!IsKeyContained(section, configurationEncryptionKey))
{
section.Settings.Add(configurationEncryptionKey, GenerateSecureKey());
}
else
{
Response.Write("<p style=\"color: red\">Security Key: " + configurationEncryptionKey + " is already present in web.config, this automation will not add it.<p>");
}
if (!IsKeyContained(section, configurationHashKey))
{
section.Settings.Add(configurationHashKey, GenerateSecureKey());
}
else
{
Response.Write("<p style=\"color: red\">Security Key: " + configurationHashKey + " is already present in web.config, this automation will not add it.</p>");
}
if (!IsKeyContained(section, dialogParamsKey))
{
section.Settings.Add(dialogParamsKey, GenerateSecureKey());
}
else
{
Response.Write("<p style=\"color: red\">Security Key: " + dialogParamsKey + " is already present in web.config, this automation will not add it.</p>");
}
configuration.Save();
}
catch(Exception ex)
{
Response.Write("<p style=\"color: red\">" + ex.ToString());
}
break;
default:
break;
}
Response.Write("<h4 style=\"color: green\">Security Keys are successfully added!</h4>");
}
private AppSettingsSection GetWebConfigSection(Configuration webconfig)
{
try
{
return (AppSettingsSection)webconfig.GetSection("appSettings");
}
catch(Exception ex)
{
Response.Write("<p style=\"color: red\">" + ex.ToString());
}
return null;
}
private bool IsKeyContained(AppSettingsSection section, string key)
{
if (section.Settings.AllKeys.Any(s => s.Contains(key)))
{
return true;
}
return false;
}
private string GenerateSecureKey()
{
var rng = RandomNumberGenerator.Create();
var buffer = new byte[128];
rng.GetBytes(buffer);
return BitConverter.ToString(buffer).Replace("-", "");
}
public enum KeysType
{
AboveTen,
LowerThanTen
}
</script>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<hr />
<h2>This will automatically apply the security keys in web.config.</h2>
<h4 style="color: blue">NOTE: once the button is clicked the site will restart unless an error message is shown above!</h4>
<h4 style="color: blue; text-decoration: underline">In case the site is deployed on multiple servers in load-balanced or geo replicated scenario make sure to generate the security keys once on a single site and copy them over to the web.config of all other servers. The generated keys are in "appSettings" section.</h4>
<asp:Button Text="Click to apply" runat="server" OnClick="ApplyUpdates_Click" />
<br />
<hr />
</div>
</form>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment