zydronium/websitepanel
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

As are result of security penetration test the following changes applied:

Browse source 
All authentication related cookies tagged as httpOnly
web.config: enabledVersionHeader=false
autocomplete disabled
Login url injection redirection fixed
session hijacking implemented

Dont forget to apply ssl to your website with https and to set the requireSSL="false" to true
This commit is contained in:
robvde 2012-06-21 19:39:58 +04:00
parent 6794315198
commit 38592df9e6
8 changed files with 397 additions and 121 deletions
Download patch file Download diff file Expand all files Collapse all files

3
WebsitePanel/Sources/WebsitePanel.WebPortal/Code/PortalUtils.cs
View file

@ -268,6 +268,7 @@ namespace WebsitePanel.Portal
authCookie.Secure = FormsAuthentication.RequireSSL;
authCookie.Path = FormsAuthentication.FormsCookiePath;
authCookie.Value = FormsAuthentication.Encrypt(ticket);
authCookie.HttpOnly = true;
if (persistent)
authCookie.Expires = DateTime.Now.AddMonths(1);
@ -500,6 +501,8 @@ namespace WebsitePanel.Portal
// store last successful username in the cookie
HttpCookie cookie = new HttpCookie("WebsitePanelLogin", username);
cookie.Expires = DateTime.Now.AddDays(7);
cookie.Secure = FormsAuthentication.RequireSSL;
cookie.HttpOnly = true;
HttpContext.Current.Response.Cookies.Add(cookie);
// set language

153
WebsitePanel/Sources/WebsitePanel.WebPortal/Code/SecureSessionModule.cs Normal file
View file

@ -0,0 +1,153 @@
using System;
using System.Web;
using System.Web.Security;
using System.Web.Caching;
using System.Configuration;
using System.Security.Cryptography;
using System.Runtime.Serialization;
using System.Globalization;
using System.Text;
using Microsoft.Security.Application;
namespace WebsitePanel.WebPortal
{
public class SecureSessionModule : IHttpModule
{
public const string DEFAULT_PAGE = "~/Default.aspx";
public const string PAGE_ID_PARAM = "pid";
private static string _ValidationKey = null;
public void Init(HttpApplication app)
{
// Initialize validation key if not already initialized
if (_ValidationKey == null)
_ValidationKey = GetValidationKey();
// Register handlers for BeginRequest and EndRequest events
app.BeginRequest += new EventHandler(OnBeginRequest);
app.EndRequest += new EventHandler(OnEndRequest);
}
public void Dispose() { }
void OnBeginRequest(Object sender, EventArgs e)
{
// Look for an incoming cookie named "ASP.NET_SessionID"
HttpRequest request = ((HttpApplication)sender).Request;
HttpCookie cookie = GetCookie(request, "ASP.NET_SessionId");
if (cookie != null)
{
// Throw an exception if the cookie lacks a MAC
if (cookie.Value.Length <= 24)
{
FormsAuthentication.SignOut();
HttpContext.Current.Response.Redirect(DefaultPage.GetPageUrl(PortalConfiguration.SiteSettings["DefaultPage"]));
}
// Separate the session ID and the MAC
string id = cookie.Value.Substring(0, 24);
string mac1 = cookie.Value.Substring(24);
// Generate a new MAC from the session ID and requestor info
string mac2 = GetSessionIDMac(id, request.UserHostAddress,
request.UserAgent, _ValidationKey);
// Throw an exception if the MACs don't match
if (String.CompareOrdinal(mac1, mac2) != 0)
{
FormsAuthentication.SignOut();
HttpContext.Current.Response.Redirect(DefaultPage.GetPageUrl(PortalConfiguration.SiteSettings["DefaultPage"]));
}
// Strip the MAC from the cookie before ASP.NET sees it
cookie.Value = id;
}
}
void OnEndRequest(Object sender, EventArgs e)
{
// Look for an outgoing cookie named "ASP.NET_SessionID"
HttpRequest request = ((HttpApplication)sender).Request;
HttpCookie cookie = GetCookie( request, "ASP.NET_SessionId");
if (cookie != null)
{
// Add a MAC
cookie.Value += GetSessionIDMac(cookie.Value,
request.UserHostAddress, request.UserAgent,
_ValidationKey);
}
}
private string GetValidationKey()
{
string key = ConfigurationManager.AppSettings["SessionValidationKey"];
if (key == null || key == String.Empty)
throw new InvalidSessionException
("SessionValidationKey missing");
return key;
}
private HttpCookie GetCookie(HttpRequest request, string name)
{
HttpCookieCollection cookies = request.Cookies;
return FindCookie(cookies, name);
}
private HttpCookie GetCookie(HttpResponse response, string name)
{
HttpCookieCollection cookies = response.Cookies;
return FindCookie(cookies, name);
}
private HttpCookie FindCookie(HttpCookieCollection cookies,
string name)
{
int count = cookies.Count;
for (int i = 0; i < count; i++)
{
if (String.Compare(cookies[i].Name, name, true,
CultureInfo.InvariantCulture) == 0)
return cookies[i];
}
return null;
}
private string GetSessionIDMac(string id, string ip,
string agent, string key)
{
StringBuilder builder = new StringBuilder(id, 512);
builder.Append(ip);
builder.Append(agent);
using (HMACSHA1 hmac = new HMACSHA1
(Encoding.UTF8.GetBytes(key)))
{
return Convert.ToBase64String(hmac.ComputeHash
(Encoding.UTF8.GetBytes(builder.ToString())));
}
}
}
[Serializable]
public class InvalidSessionException : Exception
{
public InvalidSessionException() :
base("Session cookie is invalid") { }
public InvalidSessionException(string message) :
base(message) { }
public InvalidSessionException(string message,
Exception inner)
: base(message, inner) { }
protected InvalidSessionException(SerializationInfo info,
StreamingContext context)
: base(info, context) { }
}
}

2
WebsitePanel/Sources/WebsitePanel.WebPortal/Default.aspx
View file

@ -13,7 +13,7 @@
<![endif]-->
</head>
<body>
<form id="form1" runat="server">
<form id="form1" runat="server" autocomplete="off">
<asp:PlaceHolder ID="skinPlaceHolder" runat="server"></asp:PlaceHolder>
</form>
</body>

93
WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/Ecommerce/WebsitePanel.Portal.Ecommerce.Modules.csproj
View file

@ -112,36 +112,42 @@
</Compile>
<Compile Include="BillingCycles.ascx.cs">
<DependentUpon>BillingCycles.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="BillingCycles.ascx.designer.cs">
<DependentUpon>BillingCycles.ascx</DependentUpon>
</Compile>
<Compile Include="BillingCyclesAddCycle.ascx.cs">
<DependentUpon>BillingCyclesAddCycle.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="BillingCyclesAddCycle.ascx.designer.cs">
<DependentUpon>BillingCyclesAddCycle.ascx</DependentUpon>
</Compile>
<Compile Include="BillingCyclesEditCycle.ascx.cs">
<DependentUpon>BillingCyclesEditCycle.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="BillingCyclesEditCycle.ascx.designer.cs">
<DependentUpon>BillingCyclesEditCycle.ascx</DependentUpon>
</Compile>
<Compile Include="Categories.ascx.cs">
<DependentUpon>Categories.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="Categories.ascx.designer.cs">
<DependentUpon>Categories.ascx</DependentUpon>
</Compile>
<Compile Include="CategoriesAddCategory.ascx.cs">
<DependentUpon>CategoriesAddCategory.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="CategoriesAddCategory.ascx.designer.cs">
<DependentUpon>CategoriesAddCategory.ascx</DependentUpon>
</Compile>
<Compile Include="CategoriesEditCategory.ascx.cs">
<DependentUpon>CategoriesEditCategory.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="CategoriesEditCategory.ascx.designer.cs">
<DependentUpon>CategoriesEditCategory.ascx</DependentUpon>
@ -153,8 +159,12 @@
<Compile Include="Code\Framework\CheckoutBasePage.cs">
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="Code\Framework\ecControlBase.cs" />
<Compile Include="Code\Framework\ecModuleBase.cs" />
<Compile Include="Code\Framework\ecControlBase.cs">
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="Code\Framework\ecModuleBase.cs">
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="Code\Framework\ecPanelFormatter.cs" />
<Compile Include="Code\Framework\ecPanelGlobals.cs" />
<Compile Include="Code\Framework\ecPanelRequest.cs" />
@ -181,150 +191,175 @@
</Compile>
<Compile Include="CustomerPaymentProfile.ascx.cs">
<DependentUpon>CustomerPaymentProfile.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="CustomerPaymentProfile.ascx.designer.cs">
<DependentUpon>CustomerPaymentProfile.ascx</DependentUpon>
</Compile>
<Compile Include="CustomersInvoices.ascx.cs">
<DependentUpon>CustomersInvoices.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="CustomersInvoices.ascx.designer.cs">
<DependentUpon>CustomersInvoices.ascx</DependentUpon>
</Compile>
<Compile Include="CustomersInvoicesViewInvoice.ascx.cs">
<DependentUpon>CustomersInvoicesViewInvoice.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="CustomersInvoicesViewInvoice.ascx.designer.cs">
<DependentUpon>CustomersInvoicesViewInvoice.ascx</DependentUpon>
</Compile>
<Compile Include="CustomersPayments.ascx.cs">
<DependentUpon>CustomersPayments.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="CustomersPayments.ascx.designer.cs">
<DependentUpon>CustomersPayments.ascx</DependentUpon>
</Compile>
<Compile Include="CustomersServices.ascx.cs">
<DependentUpon>CustomersServices.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="CustomersServices.ascx.designer.cs">
<DependentUpon>CustomersServices.ascx</DependentUpon>
</Compile>
<Compile Include="CustomersServicesUpgradeService.ascx.cs">
<DependentUpon>CustomersServicesUpgradeService.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="CustomersServicesUpgradeService.ascx.designer.cs">
<DependentUpon>CustomersServicesUpgradeService.ascx</DependentUpon>
</Compile>
<Compile Include="CustomersServicesViewService.ascx.cs">
<DependentUpon>CustomersServicesViewService.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="CustomersServicesViewService.ascx.designer.cs">
<DependentUpon>CustomersServicesViewService.ascx</DependentUpon>
</Compile>
<Compile Include="DomainNames.ascx.cs">
<DependentUpon>DomainNames.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="DomainNames.ascx.designer.cs">
<DependentUpon>DomainNames.ascx</DependentUpon>
</Compile>
<Compile Include="DomainNamesAddDomain.ascx.cs">
<DependentUpon>DomainNamesAddDomain.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="DomainNamesAddDomain.ascx.designer.cs">
<DependentUpon>DomainNamesAddDomain.ascx</DependentUpon>
</Compile>
<Compile Include="DomainNamesEditDomain.ascx.cs">
<DependentUpon>DomainNamesEditDomain.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="DomainNamesEditDomain.ascx.designer.cs">
<DependentUpon>DomainNamesEditDomain.ascx</DependentUpon>
</Compile>
<Compile Include="DomainRegistrarDirecti.ascx.cs">
<DependentUpon>DomainRegistrarDirecti.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="DomainRegistrarDirecti.ascx.designer.cs">
<DependentUpon>DomainRegistrarDirecti.ascx</DependentUpon>
</Compile>
<Compile Include="DomainRegistrarEnom.ascx.cs">
<DependentUpon>DomainRegistrarEnom.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="DomainRegistrarEnom.ascx.designer.cs">
<DependentUpon>DomainRegistrarEnom.ascx</DependentUpon>
</Compile>
<Compile Include="EcommerceSystemSettings.ascx.cs">
<DependentUpon>EcommerceSystemSettings.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="EcommerceSystemSettings.ascx.designer.cs">
<DependentUpon>EcommerceSystemSettings.ascx</DependentUpon>
</Compile>
<Compile Include="HostingAddons.ascx.cs">
<DependentUpon>HostingAddons.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="HostingAddons.ascx.designer.cs">
<DependentUpon>HostingAddons.ascx</DependentUpon>
</Compile>
<Compile Include="HostingAddonsAddAddon.ascx.cs">
<DependentUpon>HostingAddonsAddAddon.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="HostingAddonsAddAddon.ascx.designer.cs">
<DependentUpon>HostingAddonsAddAddon.ascx</DependentUpon>
</Compile>
<Compile Include="HostingAddonsEditAddon.ascx.cs">
<DependentUpon>HostingAddonsEditAddon.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="HostingAddonsEditAddon.ascx.designer.cs">
<DependentUpon>HostingAddonsEditAddon.ascx</DependentUpon>
</Compile>
<Compile Include="HostingPlans.ascx.cs">
<DependentUpon>HostingPlans.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="HostingPlans.ascx.designer.cs">
<DependentUpon>HostingPlans.ascx</DependentUpon>
</Compile>
<Compile Include="HostingPlansAddPlan.ascx.cs">
<DependentUpon>HostingPlansAddPlan.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="HostingPlansAddPlan.ascx.designer.cs">
<DependentUpon>HostingPlansAddPlan.ascx</DependentUpon>
</Compile>
<Compile Include="HostingPlansEditPlan.ascx.cs">
<DependentUpon>HostingPlansEditPlan.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="HostingPlansEditPlan.ascx.designer.cs">
<DependentUpon>HostingPlansEditPlan.ascx</DependentUpon>
</Compile>
<Compile Include="NotificationNewInvoice.ascx.cs">
<DependentUpon>NotificationNewInvoice.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="NotificationNewInvoice.ascx.designer.cs">
<DependentUpon>NotificationNewInvoice.ascx</DependentUpon>
</Compile>
<Compile Include="NotificationPaymentReceived.ascx.cs">
<DependentUpon>NotificationPaymentReceived.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="NotificationPaymentReceived.ascx.designer.cs">
<DependentUpon>NotificationPaymentReceived.ascx</DependentUpon>
</Compile>
<Compile Include="NotificationServiceActivated.ascx.cs">
<DependentUpon>NotificationServiceActivated.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="NotificationServiceActivated.ascx.designer.cs">
<DependentUpon>NotificationServiceActivated.ascx</DependentUpon>
</Compile>
<Compile Include="NotificationServiceCancelled.ascx.cs">
<DependentUpon>NotificationServiceCancelled.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="NotificationServiceCancelled.ascx.designer.cs">
<DependentUpon>NotificationServiceCancelled.ascx</DependentUpon>
</Compile>
<Compile Include="NotificationServiceSuspended.ascx.cs">
<DependentUpon>NotificationServiceSuspended.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="NotificationServiceSuspended.ascx.designer.cs">
<DependentUpon>NotificationServiceSuspended.ascx</DependentUpon>
</Compile>
<Compile Include="OrderFailed.ascx.cs">
<DependentUpon>OrderFailed.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="OrderFailed.ascx.designer.cs">
<DependentUpon>OrderFailed.ascx</DependentUpon>
@ -338,48 +373,56 @@
</Compile>
<Compile Include="PaymentMethod2Checkout.ascx.cs">
<DependentUpon>PaymentMethod2Checkout.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="PaymentMethod2Checkout.ascx.designer.cs">
<DependentUpon>PaymentMethod2Checkout.ascx</DependentUpon>
</Compile>
<Compile Include="PaymentMethodCreditCard.ascx.cs">
<DependentUpon>PaymentMethodCreditCard.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="PaymentMethodCreditCard.ascx.designer.cs">
<DependentUpon>PaymentMethodCreditCard.ascx</DependentUpon>
</Compile>
<Compile Include="PaymentMethodOffline.ascx.cs">
<DependentUpon>PaymentMethodOffline.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="PaymentMethodOffline.ascx.designer.cs">
<DependentUpon>PaymentMethodOffline.ascx</DependentUpon>
</Compile>
<Compile Include="PaymentMethodPayPalAccount.ascx.cs">
<DependentUpon>PaymentMethodPayPalAccount.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="PaymentMethodPayPalAccount.ascx.designer.cs">
<DependentUpon>PaymentMethodPayPalAccount.ascx</DependentUpon>
</Compile>
<Compile Include="PaymentMethods\2CO_Payment.ascx.cs">
<DependentUpon>2CO_Payment.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="PaymentMethods\2CO_Payment.ascx.designer.cs">
<DependentUpon>2CO_Payment.ascx</DependentUpon>
</Compile>
<Compile Include="PaymentMethods\CreditCard_Payment.ascx.cs">
<DependentUpon>CreditCard_Payment.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="PaymentMethods\CreditCard_Payment.ascx.designer.cs">
<DependentUpon>CreditCard_Payment.ascx</DependentUpon>
</Compile>
<Compile Include="PaymentMethods\Offline_Payment.ascx.cs">
<DependentUpon>Offline_Payment.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="PaymentMethods\Offline_Payment.ascx.designer.cs">
<DependentUpon>Offline_Payment.ascx</DependentUpon>
</Compile>
<Compile Include="PaymentMethods\PPAccount_Payment.ascx.cs">
<DependentUpon>PPAccount_Payment.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="PaymentMethods\PPAccount_Payment.ascx.designer.cs">
<DependentUpon>PPAccount_Payment.ascx</DependentUpon>
@ -393,30 +436,35 @@
</Compile>
<Compile Include="ProductControls\DomainName_ServiceDetails.ascx.cs">
<DependentUpon>DomainName_ServiceDetails.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="ProductControls\DomainName_ServiceDetails.ascx.designer.cs">
<DependentUpon>DomainName_ServiceDetails.ascx</DependentUpon>
</Compile>
<Compile Include="ProductControls\HostingAddon_ServiceDetails.ascx.cs">
<DependentUpon>HostingAddon_ServiceDetails.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="ProductControls\HostingAddon_ServiceDetails.ascx.designer.cs">
<DependentUpon>HostingAddon_ServiceDetails.ascx</DependentUpon>
</Compile>
<Compile Include="ProductControls\HostingPlan_Brief.ascx.cs">
<DependentUpon>HostingPlan_Brief.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="ProductControls\HostingPlan_Brief.ascx.designer.cs">
<DependentUpon>HostingPlan_Brief.ascx</DependentUpon>
</Compile>
<Compile Include="ProductControls\HostingPlan_Highlights.ascx.cs">
<DependentUpon>HostingPlan_Highlights.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="ProductControls\HostingPlan_Highlights.ascx.designer.cs">
<DependentUpon>HostingPlan_Highlights.ascx</DependentUpon>
</Compile>
<Compile Include="ProductControls\HostingPlan_ServiceDetails.ascx.cs">
<DependentUpon>HostingPlan_ServiceDetails.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="ProductControls\HostingPlan_ServiceDetails.ascx.designer.cs">
<DependentUpon>HostingPlan_ServiceDetails.ascx</DependentUpon>
@ -424,24 +472,28 @@
<Compile Include="Properties\AssemblyInfo.cs" />
<Compile Include="ProvisioningSettingsEdit.ascx.cs">
<DependentUpon>ProvisioningSettingsEdit.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="ProvisioningSettingsEdit.ascx.designer.cs">
<DependentUpon>ProvisioningSettingsEdit.ascx</DependentUpon>
</Compile>
<Compile Include="QuickSignup.ascx.cs">
<DependentUpon>QuickSignup.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="QuickSignup.ascx.designer.cs">
<DependentUpon>QuickSignup.ascx</DependentUpon>
</Compile>
<Compile Include="OrderComplete.ascx.cs">
<DependentUpon>OrderComplete.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="OrderComplete.ascx.designer.cs">
<DependentUpon>OrderComplete.ascx</DependentUpon>
</Compile>
<Compile Include="OrderCheckout.ascx.cs">
<DependentUpon>OrderCheckout.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="OrderCheckout.ascx.designer.cs">
<DependentUpon>OrderCheckout.ascx</DependentUpon>
@ -453,102 +505,119 @@
</Compile>
<Compile Include="SkinControls\CatalogBreadCrumb.ascx.cs">
<DependentUpon>CatalogBreadCrumb.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="SkinControls\CatalogBreadCrumb.ascx.designer.cs">
<DependentUpon>CatalogBreadCrumb.ascx</DependentUpon>
</Compile>
<Compile Include="StorefrontMenu.ascx.cs">
<DependentUpon>StorefrontMenu.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="StorefrontMenu.ascx.designer.cs">
<DependentUpon>StorefrontMenu.ascx</DependentUpon>
</Compile>
<Compile Include="StorefrontOrderProduct.ascx.cs">
<DependentUpon>StorefrontOrderProduct.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="StorefrontOrderProduct.ascx.designer.cs">
<DependentUpon>StorefrontOrderProduct.ascx</DependentUpon>
</Compile>
<Compile Include="StorefrontViewCategory.ascx.cs">
<DependentUpon>StorefrontViewCategory.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="StorefrontViewCategory.ascx.designer.cs">
<DependentUpon>StorefrontViewCategory.ascx</DependentUpon>
</Compile>
<Compile Include="StorefrontWelcome.ascx.cs">
<DependentUpon>StorefrontWelcome.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="StorefrontWelcome.ascx.designer.cs">
<DependentUpon>StorefrontWelcome.ascx</DependentUpon>
</Compile>
<Compile Include="StorefrontWelcomeEdit.ascx.cs">
<DependentUpon>StorefrontWelcomeEdit.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="StorefrontWelcomeEdit.ascx.designer.cs">
<DependentUpon>StorefrontWelcomeEdit.ascx</DependentUpon>
</Compile>
<Compile Include="SupportedPlugins\2Checkout_Settings.ascx.cs">
<DependentUpon>2Checkout_Settings.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="SupportedPlugins\2Checkout_Settings.ascx.designer.cs">
<DependentUpon>2Checkout_Settings.ascx</DependentUpon>
</Compile>
<Compile Include="SupportedPlugins\AuthorizeNet_Settings.ascx.cs">
<DependentUpon>AuthorizeNet_Settings.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="SupportedPlugins\AuthorizeNet_Settings.ascx.designer.cs">
<DependentUpon>AuthorizeNet_Settings.ascx</DependentUpon>
</Compile>
<Compile Include="SupportedPlugins\OfflinePayment_Settings.ascx.cs">
<DependentUpon>OfflinePayment_Settings.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="SupportedPlugins\OfflinePayment_Settings.ascx.designer.cs">
<DependentUpon>OfflinePayment_Settings.ascx</DependentUpon>
</Compile>
<Compile Include="SupportedPlugins\PayPalPro_Settings.ascx.cs">
<DependentUpon>PayPalPro_Settings.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="SupportedPlugins\PayPalPro_Settings.ascx.designer.cs">
<DependentUpon>PayPalPro_Settings.ascx</DependentUpon>
</Compile>
<Compile Include="SupportedPlugins\PayPalStandard_Settings.ascx.cs">
<DependentUpon>PayPalStandard_Settings.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="SupportedPlugins\PayPalStandard_Settings.ascx.designer.cs">
<DependentUpon>PayPalStandard_Settings.ascx</DependentUpon>
</Compile>
<Compile Include="Taxations.ascx.cs">
<DependentUpon>Taxations.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="Taxations.ascx.designer.cs">
<DependentUpon>Taxations.ascx</DependentUpon>
</Compile>
<Compile Include="TaxationsAddTax.ascx.cs">
<DependentUpon>TaxationsAddTax.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="TaxationsAddTax.ascx.designer.cs">
<DependentUpon>TaxationsAddTax.ascx</DependentUpon>
</Compile>
<Compile Include="TaxationsEditTax.ascx.cs">
<DependentUpon>TaxationsEditTax.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="TaxationsEditTax.ascx.designer.cs">
<DependentUpon>TaxationsEditTax.ascx</DependentUpon>
</Compile>
<Compile Include="TermsAndConditions.ascx.cs">
<DependentUpon>TermsAndConditions.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="TermsAndConditions.ascx.designer.cs">
<DependentUpon>TermsAndConditions.ascx</DependentUpon>
</Compile>
<Compile Include="TermsAndConditionsEdit.ascx.cs">
<DependentUpon>TermsAndConditionsEdit.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="TermsAndConditionsEdit.ascx.designer.cs">
<DependentUpon>TermsAndConditionsEdit.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\AddonProducts.ascx.cs">
<DependentUpon>AddonProducts.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\AddonProducts.ascx.designer.cs">
<DependentUpon>AddonProducts.ascx</DependentUpon>
@ -565,120 +634,140 @@
</Compile>
<Compile Include="UserControls\ChoosePaymentMethod.ascx.cs">
<DependentUpon>ChoosePaymentMethod.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\ChoosePaymentMethod.ascx.designer.cs">
<DependentUpon>ChoosePaymentMethod.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\CreateUserAccount.ascx.cs">
<DependentUpon>CreateUserAccount.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\CreateUserAccount.ascx.designer.cs">
<DependentUpon>CreateUserAccount.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\CustomerInvoiceTemplated.ascx.cs">
<DependentUpon>CustomerInvoiceTemplated.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\CustomerInvoiceTemplated.ascx.designer.cs">
<DependentUpon>CustomerInvoiceTemplated.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\DomainNameBillingCycles.ascx.cs">
<DependentUpon>DomainNameBillingCycles.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\DomainNameBillingCycles.ascx.designer.cs">
<DependentUpon>DomainNameBillingCycles.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\EmailNotificationEditor.ascx.cs">
<DependentUpon>EmailNotificationEditor.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\EmailNotificationEditor.ascx.designer.cs">
<DependentUpon>EmailNotificationEditor.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\HostingAddonOneTimeFee.ascx.cs">
<DependentUpon>HostingAddonOneTimeFee.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\HostingAddonOneTimeFee.ascx.designer.cs">
<DependentUpon>HostingAddonOneTimeFee.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\HostingPlanBillingCycles.ascx.cs">
<DependentUpon>HostingPlanBillingCycles.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\HostingPlanBillingCycles.ascx.designer.cs">
<DependentUpon>HostingPlanBillingCycles.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\HostingPlanQuotas.ascx.cs">
<DependentUpon>HostingPlanQuotas.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\HostingPlanQuotas.ascx.designer.cs">
<DependentUpon>HostingPlanQuotas.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\LoginUserAccount.ascx.cs">
<DependentUpon>LoginUserAccount.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\LoginUserAccount.ascx.designer.cs">
<DependentUpon>LoginUserAccount.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\ManualPaymentAdd.ascx.cs">
<DependentUpon>ManualPaymentAdd.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\ManualPaymentAdd.ascx.designer.cs">
<DependentUpon>ManualPaymentAdd.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\PlanDomainOption.ascx.cs">
<DependentUpon>PlanDomainOption.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\PlanDomainOption.ascx.designer.cs">
<DependentUpon>PlanDomainOption.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\PlanHostingAddons.ascx.cs">
<DependentUpon>PlanHostingAddons.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\PlanHostingAddons.ascx.designer.cs">
<DependentUpon>PlanHostingAddons.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\ProductHighlights.ascx.cs">
<DependentUpon>ProductHighlights.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\ProductHighlights.ascx.designer.cs">
<DependentUpon>ProductHighlights.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\QuickHostingAddon.ascx.cs">
<DependentUpon>QuickHostingAddon.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\QuickHostingAddon.ascx.designer.cs">
<DependentUpon>QuickHostingAddon.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\QuickHostingPlanCycles.ascx.cs">
<DependentUpon>QuickHostingPlanCycles.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\QuickHostingPlanCycles.ascx.designer.cs">
<DependentUpon>QuickHostingPlanCycles.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\QuickHostingPlans.ascx.cs">
<DependentUpon>QuickHostingPlans.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\QuickHostingPlans.ascx.designer.cs">
<DependentUpon>QuickHostingPlans.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\PathBreadCrumb.ascx.cs">
<DependentUpon>PathBreadCrumb.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\PathBreadCrumb.ascx.designer.cs">
<DependentUpon>PathBreadCrumb.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\ProductCategories.ascx.cs">
<DependentUpon>ProductCategories.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\ProductCategories.ascx.designer.cs">
<DependentUpon>ProductCategories.ascx</DependentUpon>
</Compile>
<Compile Include="UserControls\UserAccountDetails.ascx.cs">
<DependentUpon>UserAccountDetails.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="UserControls\UserAccountDetails.ascx.designer.cs">
<DependentUpon>UserAccountDetails.ascx</DependentUpon>
</Compile>
<Compile Include="ViewProductDetails.ascx.cs">
<DependentUpon>ViewProductDetails.ascx</DependentUpon>
<SubType>ASPXCodeBehind</SubType>
</Compile>
<Compile Include="ViewProductDetails.ascx.designer.cs">
<DependentUpon>ViewProductDetails.ascx</DependentUpon>

1
WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/Code/Framework/PanelSecurity.cs
View file

@ -130,6 +130,7 @@ namespace WebsitePanel.Portal
HttpContext.Current.Items[key] = s;
HttpCookie cookie = new HttpCookie(key, s);
cookie.HttpOnly = true;
HttpContext.Current.Response.Cookies.Remove(key);
HttpContext.Current.Response.Cookies.Add(cookie);
}

27
WebsitePanel/Sources/WebsitePanel.WebPortal/DesktopModules/WebsitePanel/Login.ascx.cs
View file

@ -1,4 +1,4 @@
// Copyright (c) 2012, Outercurve Foundation.
// Copyright (c) 2011, Outercurve Foundation.
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without modification,
@ -37,6 +37,27 @@ namespace WebsitePanel.Portal
{
string ipAddress;
private bool IsLocalUrl(string url)
{
if (string.IsNullOrEmpty(url))
{
return false;
}
Uri absoluteUri;
if (Uri.TryCreate(url, UriKind.Absolute, out absoluteUri))
{
return String.Equals(this.Request.Url.Host, absoluteUri.Host, StringComparison.OrdinalIgnoreCase);
}
else
{
bool isLocal = !url.StartsWith("http:", StringComparison.OrdinalIgnoreCase)
&& !url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)
&& Uri.IsWellFormedUriString(url, UriKind.Relative);
return isLocal;
}
}
private string RedirectUrl
{
get
@ -46,6 +67,10 @@ namespace WebsitePanel.Portal
{
// return to the url passed to signin
redirectUrl = HttpUtility.UrlDecode(Request["returnurl"]);
if (!IsLocalUrl(redirectUrl))
{
redirectUrl = PortalUtils.LoginRedirectUrl;
}
}
else
{

6
WebsitePanel/Sources/WebsitePanel.WebPortal/Web.config
View file

@ -4,6 +4,7 @@
<add key="WebPortal.ThemeProvider" value="WebsitePanel.Portal.WebPortalThemeProvider, WebsitePanel.Portal.Modules"/>
<add key="WebPortal.PageTitleProvider" value="WebsitePanel.Portal.WebPortalPageTitleProvider, WebsitePanel.Portal.Modules"/>
<add key="ChartImageHandler" value="storage=file;timeout=20;" />
<add key="SessionValidationKey" value="DAD46D476F85E0198BCA134D7AA5CC1D7" />
</appSettings>
<system.web>
<!-- SiteMap settings -->
@ -19,7 +20,7 @@
</controls>
</pages>
<!-- Maximum size of uploaded file, in MB -->
<httpRuntime executionTimeout="1800" requestValidationMode="2.0" maxRequestLength="16384"/>
<httpRuntime executionTimeout="1800" requestValidationMode="2.0" maxRequestLength="16384" enableVersionHeader="false"/>
<!--
ASMX is mapped to a new handler so that proxy javascripts can also be served.
-->
@ -47,5 +48,8 @@
<handlers>
<add name="ChartImg" path="ChartImg.axd" verb="GET,HEAD,POST" type="System.Web.UI.DataVisualization.Charting.ChartHttpHandler, System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" resourceType="Unspecified" preCondition="integratedMode" />
</handlers>
<modules>
<add name="SecureSession" type="WebsitePanel.WebPortal.SecureSessionModule" />
</modules>
</system.webServer>
</configuration>

1
WebsitePanel/Sources/WebsitePanel.WebPortal/WebsitePanel.WebPortal.csproj
View file

@ -157,6 +157,7 @@
<Compile Include="Code\ContentPane.cs" />
<Compile Include="Code\Controls\DesktopContextValidator.cs" />
<Compile Include="Code\PortalUtils.cs" />
<Compile Include="Code\SecureSessionModule.cs" />
<Compile Include="Code\WebPortalControlBase.cs">
<SubType>ASPXCodeBehind</SubType>
</Compile>