Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Umbraco 9.5.1: Backend UI not displayed after login when deployed in a VM behind Azure application gateway V1. #12580

Closed
nikhilramabhadra opened this issue Jun 14, 2022 · 4 comments
Closed

Umbraco 9.5.1: Backend UI not displayed after login when deployed in a VM behind Azure application gateway V1. #12580

nikhilramabhadra opened this issue Jun 14, 2022 · 4 comments
Labels
type/bug

Comments

@nikhilramabhadra
Copy link

nikhilramabhadra commented Jun 14, 2022
edited

Which exact Umbraco version are you using? For example: 9.0.1 - don't just write v9

9.5.1

Bug summary

We migrated our site from Umbraco on .NET 4.7.2 to Umbraco .NET 5 9.5.1. I deployed it in production which is behind an Azure application gateway V1. The site is https and configure with a certificate.

When we try to login we see (ModSecurity Action) errors as seen in the attached picture. Even in the case of .NET 4.7.2 we would see errors with Angular but it would login.

It logs in but none of the backend UI is displayed. Test environment has no gateway and works fine.

Please help.

[https://our.umbraco.com/forum/using-umbraco-and-getting-started/109269-umbraco-951-errors-logging-into-backend-when-deployed-in-a-vm-behind-azure-application-gateway-v1](Umbraco Forum Query)

Umbraco951UI
Umbraco951BackEndLoginError
)

Specifics

Error occurs in Chrome 102.0.5005.63, Edge 102.0.1245.39

Steps to reproduce

Deploy Umbraco 9.5.1 behind Microsoft application gateway v1.
Login to back end and check UI.

Expected result / actual result

The backend UI with tree should be displayed.
@nikhilramabhadra nikhilramabhadra mentioned this issue Jun 16, 2022
Closed
@nikhilramabhadra
Copy link
Author

Raised a query here: Azure Application Gateway V1 + WAF: Ask WAF not to scan the backend URL path of Umbraco CMS (/umbraco, /umbraco/, /umbraco?).

@nikhilramabhadra
Copy link
Author

Answer from Microsoft

Which WAF rule causes this needs investigation.

@nikhilramabhadra
Copy link
Author

nikhilramabhadra commented Jun 20, 2022
edited

This appears to be a Umbraco issue as there are mandatory rules that cannot be disabled in the Application Gateway V1 + WAF. WAF ModSecurity is detecting SQL injections!!

/umbraco/ServerVariables?umb__rnd=451b4c1370e27e397d1a520fa7bb2b1a49d6769c Execution error - PCRE limits exceeded (-8): (null).
/umbraco/ServerVariables?umb__rnd=451b4c1370e27e397d1a520fa7bb2b1a49d6769c SQL Comment Sequence Detected.
/umbraco/ServerVariables?umb__rnd=451b4c1370e27e397d1a520fa7bb2b1a49d6769c SQL Hex Encoding Identified
/umbraco/ServerVariables?umb__rnd=451b4c1370e27e397d1a520fa7bb2b1a49d6769c Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/umbraco/ServerVariables?umb__rnd=451b4c1370e27e397d1a520fa7bb2b1a49d6769c Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/umbraco/ServerVariables?umb__rnd=451b4c1370e27e397d1a520fa7bb2b1a49d6769c Execution error - PCRE limits exceeded (-8): (null).
/umbraco/ServerVariables?umb__rnd=451b4c1370e27e397d1a520fa7bb2b1a49d6769c SQL Comment Sequence Detected.
/umbraco/ServerVariables?umb__rnd=451b4c1370e27e397d1a520fa7bb2b1a49d6769c SQL Hex Encoding Identified
/umbraco/ServerVariables?umb__rnd=451b4c1370e27e397d1a520fa7bb2b1a49d6769c Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/umbraco/ServerVariables?umb__rnd=451b4c1370e27e397d1a520fa7bb2b1a49d6769c Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/umbraco/LocalizedText Execution error - PCRE limits exceeded (-8): (null).
/umbraco/LocalizedText SQL Comment Sequence Detected.
/umbraco/LocalizedText SQL Hex Encoding Identified
/umbraco/LocalizedText Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/umbraco/LocalizedText Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/umbraco/assets/fonts/lato/LatoLatin-Italic.woff2 Execution error - PCRE limits exceeded (-8): (null).
/umbraco/assets/fonts/lato/LatoLatin-Italic.woff2 SQL Comment Sequence Detected.
/umbraco/assets/fonts/lato/LatoLatin-Italic.woff2 SQL Hex Encoding Identified
/umbraco/assets/fonts/lato/LatoLatin-Italic.woff2 Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/umbraco/assets/fonts/lato/LatoLatin-Italic.woff2 Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/umbraco/backoffice/umbracoapi/authentication/GetRemainingTimeoutSeconds Execution error - PCRE limits exceeded (-8): (null).
/umbraco/backoffice/umbracoapi/authentication/GetRemainingTimeoutSeconds SQL Comment Sequence Detected.
/umbraco/backoffice/umbracoapi/authentication/GetRemainingTimeoutSeconds SQL Hex Encoding Identified
/umbraco/backoffice/umbracoapi/authentication/GetRemainingTimeoutSeconds Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/umbraco/backoffice/umbracoapi/authentication/GetRemainingTimeoutSeconds Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/umbraco/lib/wicg-inert/dist/inert.min.js.map;; Execution error - PCRE limits exceeded (-8): (null).
/umbraco/lib/wicg-inert/dist/inert.min.js.map;; SQL Comment Sequence Detected.
/umbraco/lib/wicg-inert/dist/inert.min.js.map;; SQL Hex Encoding Identified
/umbraco/lib/wicg-inert/dist/inert.min.js.map;; Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/umbraco/lib/wicg-inert/dist/inert.min.js.map;; Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/sb/nmap/umbraco-backoffice-extensions-js.js.va1a6e1d56e877b2aae61448cf4cc4042df75b24b Execution error - PCRE limits exceeded (-8): (null).
/sb/nmap/umbraco-backoffice-extensions-js.js.va1a6e1d56e877b2aae61448cf4cc4042df75b24b SQL Comment Sequence Detected.
/App_Plugins/Plumber/Backoffice/js/plumber.js.map Execution error - PCRE limits exceeded (-8): (null).
/App_Plugins/uSync/usync.9.4.0.min.js.map Execution error - PCRE limits exceeded (-8): (null).
/App_Plugins/uSyncExpansions/usyncexpansions.9.4.0.min.js.map Execution error - PCRE limits exceeded (-8): (null).
/sb/nmap/umbraco-backoffice-extensions-js.js.va1a6e1d56e877b2aae61448cf4cc4042df75b24b SQL Hex Encoding Identified
/App_Plugins/Plumber/Backoffice/js/plumber.js.map SQL Comment Sequence Detected.
/App_Plugins/uSync/usync.9.4.0.min.js.map SQL Comment Sequence Detected.
/App_Plugins/uSyncExpansions/usyncexpansions.9.4.0.min.js.map SQL Comment Sequence Detected.
/sb/nmap/umbraco-backoffice-extensions-js.js.va1a6e1d56e877b2aae61448cf4cc4042df75b24b Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/App_Plugins/Plumber/Backoffice/js/plumber.js.map SQL Hex Encoding Identified
/App_Plugins/uSync/usync.9.4.0.min.js.map SQL Hex Encoding Identified
/App_Plugins/uSyncExpansions/usyncexpansions.9.4.0.min.js.map SQL Hex Encoding Identified
/sb/nmap/umbraco-backoffice-extensions-js.js.va1a6e1d56e877b2aae61448cf4cc4042df75b24b Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/App_Plugins/Plumber/Backoffice/js/plumber.js.map Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/App_Plugins/uSync/usync.9.4.0.min.js.map Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/App_Plugins/uSyncExpansions/usyncexpansions.9.4.0.min.js.map Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/App_Plugins/uSyncPeopleEdition/usyncpeopleedition.9.4.0.min.js.map Execution error - PCRE limits exceeded (-8): (null).
/App_Plugins/Plumber/Backoffice/js/plumber.js.map Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/App_Plugins/uSyncPeopleEdition/usyncpeopleedition.9.4.0.min.js.map SQL Comment Sequence Detected.
/App_Plugins/uSync/usync.9.4.0.min.js.map Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/App_Plugins/uSyncPeopleEdition/usyncpeopleedition.9.4.0.min.js.map SQL Hex Encoding Identified
/App_Plugins/uSyncExpansions/usyncexpansions.9.4.0.min.js.map Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/App_Plugins/uSyncPeopleEdition/usyncpeopleedition.9.4.0.min.js.map Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/App_Plugins/uSyncSnapshots/usyncsnapshots.9.4.0.min.js.map Execution error - PCRE limits exceeded (-8): (null).
/api/keepalive/ping Missing User Agent Header
/App_Plugins/uSyncPeopleEdition/usyncpeopleedition.9.4.0.min.js.map Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/App_Plugins/uSyncSnapshots/usyncsnapshots.9.4.0.min.js.map SQL Comment Sequence Detected.
/App_Plugins/uSyncSnapshots/usyncsnapshots.9.4.0.min.js.map SQL Hex Encoding Identified
/App_Plugins/uSyncSnapshots/usyncsnapshots.9.4.0.min.js.map Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Score: 10)
/App_Plugins/uSyncSnapshots/usyncsnapshots.9.4.0.min.js.map Mandatory rule. Cannot be disabled. Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=10,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Hex Encoding Identified
/umbraco/api/keepalive/ping Missing User Agent Header
/api/keepalive/ping Missing User Agent Header
/umbraco/api/keepalive/ping Missing User Agent Header

@nul800sebastiaan
Copy link
Member

Hey there @nikhilramabhadra and sorry for the late response! This sounds like an excellent question for the forums where our friendly community can help you find the best solution for your requirements.

Make sure to head on over to https://our.umbraco.com and ask follow up questions there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nul800sebastiaan @nikhilramabhadra