Orchard – Piedone Avatar Double Extension Threat


So, I was still developing for a site that using Orchard CMS. I finally get into security testing. Well, that’s a lot of effort to do. 😀

But what I got is that there is double extension threat to my application. At first, I manage to fix it through Media module on Orchard. Then I think it was already safe and clear. I am patiently waiting for the result. What I got is the opposite. The threat still shows up. And it brings me to one conclusion: the problem is in the Piedone Avatar (the current module that I use for avatars in my site).

As usual, I debug the application first, put breakpoints here and there. Searching for the suitable location and looking for the steps. I got the way and I put some modification. The modification that I made is on the IAvatarsService interface , AvatarsServiceExtension class, and AvatarsService (for I have made a modification on the interface).

Here is the added code:

IAvatarsService

...

/// <summary>
/// Saves an avatar file
/// </summary>
/// <param name="id">Id of the content item (user) to attach the file to</param>
/// <param name="stream">The content of the file</param>
/// <param name="extension">The extension of the file</param>
/// <param name="filename">The name of the file (for double extension checking)</param>
/// <returns>True or false indicating success or failure</returns>
bool SaveAvatarFile(int id, Stream stream, string extension, string filename);

...

AvatarsServiceExtension

...

/// <summary>
/// Saves an avatar file
/// </summary>
/// <param name="id">Id of the content item (user) to attach the file to</param>
/// <param name="postedFile">A posted image file</param>
/// <returns>True or false indicating success or failure</returns>
public static bool SaveAvatarFile(this IAvatarsService service, int id, HttpPostedFileBase postedFile)
{
    return service.SaveAvatarFile(id, postedFile.InputStream, Path.GetExtension(postedFile.FileName), postedFile.FileName);
    // I add postedFile.FileName so that it will check the extension first.
}

...

AvatarService

        ...

        public bool SaveAvatarFile(int id, Stream stream, string extension, string filename)
        {
            ...

            if (containsHarmfulDoubleExtension(filename) || !IsFileAllowed(filePath))
            {
                ValidationDictionary.AddError(AvatarsServiceValidationKey.NotAllowedFileType, T("This file type is not allowed as an avatar."));

                return false;
            }

            ...
        }

        /// <summary>
        /// To check whether it have a double extension (and harmful) or not.
        /// Leave the file be like it is if there is a double extension if not harmful
        /// </summary>
        /// <param name="filename">name of the file</param>
        /// <returns>true if contains</returns>
        public bool containsHarmfulDoubleExtension(string filename)
        {
            string harmfulExtensions = "exe php cs ascx cshtml html obj class java bat deb vb vbe reg php3 php4 php5";

            bool hasil = false;
            List<string> splittedFileName = filename.Split('.').ToList<string>();
            if (splittedFileName.Count == 2)
                return false;
            else
            {
                // more dots are found.
                splittedFileName.RemoveAt(0); // remove the first element (considered as a name)
                foreach (string singleBlast in splittedFileName)
                {
                    hasil = harmfulExtensions.ToUpperInvariant().Contains(singleBlast.ToUpperInvariant());
                    if (hasil == true)
                        break;
                }
            }

            return hasil;
        }

        ...

If there is any suggestion you may add or repair on my code, well, please be kind 🙂

Orchard – Slow?


Hello! I’m back!

Lately there was an issue related to a site that I have published. It was using Orchard 1.4.1 and it is (the client think) is slow. I am confused for the first when I face the issue. “It is running so fast in my computer!”, I said. But then it was a client and of course, they didn’t accept such reason.

Then I began to browse for the solutions and I got some as described below.

  1. Maintain the server performance (IIS) on this Orchard documentation, I found that some steps may be taken. Managing App Pool Recycle can be useful too. 🙂
  2. Updating your Orchard. This discussion clearly describe that updating orchard can make the site runs faster.
  3. I reference back to the first link. Removing the unused modules. I was using Disqus for the website’s comment system. What I got is a complaint from the client for their web is so slow. I can’t blame them for the slow connection. Disqus load outside files and data. Then I try to calm them down using normal comment from Orchard and it runs a bit faster. Well, not quite a good decision for I have to implement some more functions so that the Orchard.Comments will act like Disqus. Fool indeed.

That’s the three maintenance that I have done. I think the site runs quite faster now. I hope they like it.

Orchard – Deployment


Hi there!

I haven’t post anything yesterday so I think I will post two posts today. This is the first. This actually happens yesterday when I am trying to deploy a web that is using Orchard CMS.

I found that some steps (cheating steps actually) to deploy it easily and quick. I am using FTP publish method from VS 2010.

  1. Prepare your source code ready. Prepare the FTP server ready too. Create SQL dump statement that contains your web’s database.
  2. If there are files in the FTP already, back it up.
  3. Execute your SQL statement in the target database
  4. Using the given user from the database admin, update the default site to the new environment.
  5. Change the setting in ~/App_Data/Sites/Default/Settings.txt so that your connection string match the publish environment.
  6. Set your build to release mode in Visual Studio.
  7. Configure your publish method to FTP and publish it to the FTP server
  8. Change all localhost:port to the new site in your code. ex: wwww.this-is-the-new-web.com
  9. Publish it

Quite easy and simple steps. Sometimes, there is an error. You can check the log for more details. Log is located at ~/App_Data/Logs/. Error that I meet is that the user given by the DB admin can’t access the database. So I have to ask the DB admin to let the user access it. That’s all.