Last active
August 19, 2020 07:58
-
-
Save sitefinitySDK/ce7e7f672ba9ee63e6b502a3ed9cfdab to your computer and use it in GitHub Desktop.
used by support
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<%@ Page Language="C#" AutoEventWireup="true" %> | |
<%@ Import Namespace="Telerik.Sitefinity.Modules.Pages" %> | |
<%@ Import Namespace="Telerik.Sitefinity.Modules.Pages.Data" %> | |
<%@ Import Namespace="System.Configuration" %> | |
<%@ Import Namespace="System.Web.Configuration" %> | |
<%@ Import Namespace="System.Web.Security" %> | |
<%@ Import Namespace="System.Security.Cryptography" %> | |
<script runat="server"> | |
protected void ApplyUpdates_Click(object sender, EventArgs e) | |
{ | |
var buildNumber = this.GetSitefinityBuildNumber(); | |
if (buildNumber >= 7300) | |
{ | |
Response.Write("<p style=\"color: green\">You are secured. You are running on Sitefinity version 13.0 and there is no vulnerability in Telerik.Web.UI suite</p>"); | |
return; | |
} | |
if (buildNumber >= 6400 && buildNumber < 7300) | |
{ | |
ApplyWebConfigTransformation(KeysType.AboveTen); | |
return; | |
} | |
var firstTwoDigits = 0; | |
int.TryParse(buildNumber.ToString().Substring(0, 2), out firstTwoDigits); | |
if (firstTwoDigits >= 40 && buildNumber < 6400) | |
{ | |
ApplyWebConfigTransformation(KeysType.AboveTen); | |
return; | |
} | |
if (buildNumber < 4000) | |
{ | |
Response.Write("<p style=\"color: red\"> The version of Sitefinity that is ran by your site is an unsupported version. Refer to the written details for it in KB article: https://knowledgebase.progress.com/articles/Article/resolving-security-vulnerability-cve-2017-9248 </p>"); | |
return; | |
} | |
else | |
{ | |
Response .Write("<p style=\"color: red\">Sitefinity with build number: " + buildNumber.ToString() +" is not supported for this operation </p>"); | |
} | |
} | |
private int GetSitefinityBuildNumber() | |
{ | |
var number = 0; | |
try | |
{ | |
var provider = PageManager.GetManager().Provider; | |
number = ((OpenAccessPageProvider)provider).CurrentSchemaVersionNumber; | |
} | |
catch (Exception ex) | |
{ | |
Response.Write("<p style=\"color: red\">" + ex.ToString()); | |
} | |
return number; | |
} | |
private void ApplyWebConfigTransformation(KeysType keyType) | |
{ | |
Configuration configuration = WebConfigurationManager.OpenWebConfiguration("~"); | |
var section = GetWebConfigSection(configuration); | |
if(keyType == null) | |
{ | |
throw new ArgumentNullException("keyType"); | |
} | |
switch(keyType) | |
{ | |
case KeysType.AboveTen: | |
try | |
{ | |
string configurationEncryptionKey = "Telerik.AsyncUpload.ConfigurationEncryptionKey"; | |
string configurationHashKey = "Telerik.Upload.ConfigurationHashKey"; | |
string dialogParamsKey = "Telerik.Web.UI.DialogParametersEncryptionKey"; | |
if (!IsKeyContained(section, configurationEncryptionKey)) | |
{ | |
section.Settings.Add(configurationEncryptionKey, GenerateSecureKey()); | |
} | |
else | |
{ | |
Response.Write("<p style=\"color: red\">Security Key: " + configurationEncryptionKey + " is already present in web.config, this automation will not add it.<p>"); | |
} | |
if (!IsKeyContained(section, configurationHashKey)) | |
{ | |
section.Settings.Add(configurationHashKey, GenerateSecureKey()); | |
} | |
else | |
{ | |
Response.Write("<p style=\"color: red\">Security Key: " + configurationHashKey + " is already present in web.config, this automation will not add it.</p>"); | |
} | |
if (!IsKeyContained(section, dialogParamsKey)) | |
{ | |
section.Settings.Add(dialogParamsKey, GenerateSecureKey()); | |
} | |
else | |
{ | |
Response.Write("<p style=\"color: red\">Security Key: " + dialogParamsKey + " is already present in web.config, this automation will not add it.</p>"); | |
} | |
configuration.Save(); | |
} | |
catch(Exception ex) | |
{ | |
Response.Write("<p style=\"color: red\">" + ex.ToString()); | |
} | |
break; | |
default: | |
break; | |
} | |
Response.Write("<h4 style=\"color: green\">Security Keys are successfully added!</h4>"); | |
} | |
private AppSettingsSection GetWebConfigSection(Configuration webconfig) | |
{ | |
try | |
{ | |
return (AppSettingsSection)webconfig.GetSection("appSettings"); | |
} | |
catch(Exception ex) | |
{ | |
Response.Write("<p style=\"color: red\">" + ex.ToString()); | |
} | |
return null; | |
} | |
private bool IsKeyContained(AppSettingsSection section, string key) | |
{ | |
if (section.Settings.AllKeys.Any(s => s.Contains(key))) | |
{ | |
return true; | |
} | |
return false; | |
} | |
private string GenerateSecureKey() | |
{ | |
var rng = RandomNumberGenerator.Create(); | |
var buffer = new byte[128]; | |
rng.GetBytes(buffer); | |
return BitConverter.ToString(buffer).Replace("-", ""); | |
} | |
public enum KeysType | |
{ | |
AboveTen, | |
LowerThanTen | |
} | |
</script> | |
<!DOCTYPE html> | |
<html xmlns="http://www.w3.org/1999/xhtml"> | |
<head runat="server"> | |
<title></title> | |
</head> | |
<body> | |
<form id="form1" runat="server"> | |
<div> | |
<hr /> | |
<h2>This will automatically apply the security keys in web.config.</h2> | |
<h4 style="color: blue">NOTE: once the button is clicked the site will restart unless an error message is shown above!</h4> | |
<h4 style="color: blue; text-decoration: underline">In case the site is deployed on multiple servers in load-balanced or geo replicated scenario make sure to generate the security keys once on a single site and copy them over to the web.config of all other servers. The generated keys are in "appSettings" section.</h4> | |
<asp:Button Text="Click to apply" runat="server" OnClick="ApplyUpdates_Click" /> | |
<br /> | |
<hr /> | |
</div> | |
</form> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment