Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • LeaUK 34 posts 55 karma points
    May 25, 2011 @ 18:30
    LeaUK
    0

    Designit gallery - Umbraco 4.7, not working

    Designit http://our.umbraco.org/projects/website-utilities/designit-gallery-package isn't working in 4.7 using IIS6. It fails to use Java script and so the images just appear on a separate page.

     I think I've tracked it down to the script path for the Javascript using a full stop.  I suspect this is being blocked by URL scan.

     

    If in the root web folder it's changed from: scripts/Designit,Gallery/jquery.lightbox-0.5.min.js  to scripts/Designit_Gallery/jquery.lightbox-0.5.min.js then the js can be accessed by typing it's path into a browser, but the former (using a .) we receive a URL scan blocked messgage:

    No umbraco document matches the url 'http://www.mydomain.com/Rejected-By-UrlScan?~/scripts/Designit.Gallery/jquery.lightbox-0.5.min.js'

    I've tried replacing every occurance of Designit.Gallery in all package files and importing that but that fails in the controls section for unkown reasons.

    Any thoughts?

    Lea

     

     

  • LeaUK 34 posts 55 karma points
    May 26, 2011 @ 08:25
    LeaUK
    0

    Ah, ha...

     

    From the URLScan site:http://support.microsoft.com/kb/326444

     

    • By default, this option is set to 0. If this option is set to 0, URLScan rejects any requests that contain non-ASCII characters. This can prevent certain types of attacks, but it may also block out requests for certain legitimate files, such as files with non-English names.
    • AllowDotInPath=0

      By default, this option is set to 0. If this option is set to 0, URLScan rejects any request that contains multiple periods (.). This prevents attempts to disguise requests for dangerous file name extensions by putting a safe file name extension in the path information or query string portion of the URL. For example, if this option is set to 1, URLScan might permit a request for http://servername/BadFile.exe/SafeFile.htm because it thinks that it is a request for an HTML page, when it is actually a request for an executable (.exe) file with the name of an HTML page in the PATH_INFO area. When this option is set 0, URLScan may also deny requests for directories that contain periods.

  • LeaUK 34 posts 55 karma points
    May 26, 2011 @ 08:38
    LeaUK
    0

    OK, so I've changed urlscan.ini to AllowDotInPath=1 and bingo!  All working :)  See http://umbgallery.codeplex.com/discussions/259047

     

    However, this maybe considered a security risk so I need convert the package to use underscores for folder names rather than periods (.) throughout.  Can anyone help with this?  I've tried doing a texual substitution for all files within the package from designit.gallery to designit_gallery and import the package again.  It looks OK but it reveals problems with the ascx as it can't find the controls?  Can't understand why.

    Any help appreciated.

    Cheers
    Lea 

Please Sign in or register to post replies

Write your reply to:

Draft