Security Issue and Patches, Tool Updates, and Some Upcoming Topics

A lot of things to touch on, none of which are enough for a full blown article, so we're doing another hodgepodge of various mini topics and news.

Security Issue and Patches

Kentico recently was made aware of a security issue that was found, revolving around Staging Module.  A bug in one of the Microsoft libraries that the staging module uses for authenticating requests made it to where a very carefully structured request to the Staging module page could bypass security and either read or write certain items.  This security hole affects all sites that have the Staging authentication mode to Username and Password, even if you don't have staging enabled.  If staging not used and is disabled, you still need to change the validation method in order to not be affected.

Kentico took action and already has a security patch for Kentico 12 (12.0.15), so if you have Kentico 12, please make sure to hotfix right away.  For older versions of Kentico, a work around was given, using the x.509 certificate authentication instead of the Username/Password.  However, this method is not easy to implement.

What is x.509 Authentication method for Staging?

x.509 is a form of encryption authentication, similar to SSL Certificates.  The processes goes that you first purchase a Client Certificate from an agency (most agencies that provide SSL certs will also allow you to purchase these).  Then from this cert you need to generate a Server and Client Certifications (Using a tool like OpenSSL, which is a command line program), and then install these certificates on both the source and target servers.  How you go from a Client cert to the Server key and Client keys...that part i haven't figured out myself yet.

When these Server and Client Certificates are installed, you can retrieve their identification Key (a smaller random set of numbers and letters).  This is what you pass to Kentico in the Staging Settings.

This way, when Kentico sends data to the staging module, it uses those ID keys to ask the operating system for the full encryption certificates, and uses them to encrypt the data, which the receiving server can then decrypt.

We Asked, Kentico Answered

Since Kentico's bug policy was primarily to only implement fixes on the current version, and a work around was available through the x.509 Certificate, they initially had no plan on implementing a bug fix patch for older supported versions of Kentico 10 and 11.  However, after explaining the requirement of time, cost, and effort to implement x.509, they listened and went back to the developer team, and changed their course.  There will be a hotfix within the next week or two for version 10 and 11, which i recommend you install as soon as it comes out so you can resume using Username and Password method for Staging module saftely.

Tool Updates

Relationships Extended is FINALLY Live!!

You know that awesome tool that i've been talking about for like, 6 months?  Well there's no more waiting, it's finally available on NuGet.  We've been beta testing it with a couple of our clients, which uncovered some bugs and missing features.  I also ran into some upgrade difficulties as the tool was developed for Kentico 10 initially, and leveraged heavily the UniSelector which changed quite dramatically in version 11 and 12, requiring me to do some reworking.  Publishing the tool to a NuGet package was also tedious because there was more than just the Module that needed to be exported, related objects such as Page Templates and Form Controls also needed to be included.

The tool itself, if you are unaware, is a suite of UI Templates, Form Controls, Macros and Helper methods to create and manage relationships of all types:

  1. Node to Node (Page Relationships) with Ordering
  2. Node to Category (Similar to Document Category, but on the Node)
  3. Node to Object (With Ordering)
  4. Object to Object/Category (With Ordering)

It includes an updated form of the Advanced Category Selector and Advanced Many to Many Selector, as well as an updated Related Pages that carry similar configuration setups, and full documentation on how to setup any of these types of relationships and enable Staging with them.

Please note that you want to install at least version X.0.9 and above, the initial upload of X.0.8 didn't have the webparts exported that the templates used.

Bootstrap Layout Tool - Bootstrap 4 Support

I've also released an update to the Bootstrap Layout tool to fix a bug and adjust the output to work properly with Bootstrap 4 (Kentico versions 10+).  This will be the last update to the Bootstrap Layout tool since Version 12 will be the end of Portal method.  It is recommended, because of these bug fixes with the layout, that you visit the resources page on my site and install the latest (marketplace has been too busy to publish the updates yet).

CSV Import, Advanced Category Selector, Advanced Many to Many Selector Update

When I first created these 3 tools, i wasnt aware of a way to dynamically write data to custom module classes.  I wrote instructions on modifying the controls to account for your custom modules, but this was honestly a pain, requiring code modifications every time you wanted to use it for a new scenario.  Skip ahead a couple years and I finally discover how to write to any class (even custom ones) without hard coding it in.  So the update to these tools contains that code, meaning no more code modifications, and now it will just "work."

An additional adjustment i made is to the CSV Import module, i compiled the two ascx page's code into the actual class library, so this will work on both Web projects and Web Sites, and pushed it to NuGet for easier installation.

You can download the updates from their resource pages or NuGet for the CSV Import Module.  The Marketplace does not necessarily have the updated code as they have been very busy.

Upcoming Topics

Other than my blog on Dynamic Routing, i haven't touched a lot on MVC yet.  I wanted to give a status update on where i'm at on the upgrade of my personal project:

This site started out in Kentico 11 Portal last year, and I've been slowly upgrading it to Kentico 12 MVC.  I'm learning a lot as i continue working on this project, and hopefully coming up i'll be able to write some articles on some of the things i've had to learn:

  1. Online Forms - How to convert your Custom Classes to View Models with validation
  2. Repeaters in MVC - Some tricks and tools to recreate the Repeater/Transformation in Kentico MVC
  3. Handling Users - Going from MembershipContext to OWIN

There are also some updates and exciting features that the Kentico team is working on releasing with the K12 Service Pack later on this year, which as soon as we can disclose them, i'll be sure to let you all know!

Feedback and Conclusion

Thanks everyone for reading these articles, I'm blessed to have heard from some readers on how much this and my tools have helped.  If you use this or have benefited from it, i would love to hear from you, and if you have recommendations or questions, i would love to answer.  Contact me with anything you may have, and be sure to check out the Relationships Extended!

Blog post currently doesn't have any comments.
= six - six