When your intrusion prevention system (IPS) prevents your Umbraco CMS from working ...

Had a head-scratcher problems this week.  When you save a document type in Umbraco back-office, Umbraco database were to become damaged (especially items in tables cmsTab and cmsPropertyType).  Some fields (such as alias, name, and description) was inexplicably, set to empty strings.

Any attempt to access the content using the damaged document type in Umbraco back-office led to a server error 500:

Found multiple controls with the same ID "prop". FindControl requires that controls have unique IDs,

the only fix was to manually restore the individual field values struck records, based on a backup copy of the database.

So what could have caused this disaster?

We first blamed the Umbraco-perhaps there was a bug that causes the document type save operation fails.  But no, nothing in the Umbraco log or System event log.

Then I remembered that our IT Department had recently installed a Cisco ASA 5515 Intrusion Prevention System (IPS), firewall, "in front" of the web-server.  Hmmm ... would this system, in order to prevent problems, actually cause harm?  The answer seems to be "Yes".

As far as I can tell, it seems that if you RECORD data that contain the word "Select" followed somewhere in the request data using the word "from", Cisco IPS assume you try a SQL injection attack (Yes really!).  Of course, there are many times when you write these words legitimate (for example, "Please Select a logo from this list").

Anyway, the IPS appear to be partially blocks or truncate the client request, so the server got unexpected data. Umbraco  Seems that no validation is done on the server side to verify that the client has given a name or alias for each document type property, so empty strings are stored in the database, hence the problem.

Work around?

Install an SSL certificate on the server, and do your editing via HTTPS (undecipherable by IPS).  This is probably good though.If possible, perform for editing document types using a remote desktop connection directly to the server (using the fjärrskrivbordssessionens browser and http://localhost/umbraco/, to avoid the IPS).Use a tool like uSiteBuilder to synchronize your document type and template changes with a Visual Studio project, instead of using the Umbraco back-office.
With 20 years of experience in it, I have a carefully honed believe that well-intentioned security software and systems can often cause more problems than they are meant to prevent.

The reason for writing posts in this blog, it is hoped that one day someone will suffer the same problems and stumble across this solution via Google.  So, I hope it helped you.

iPage Reviews: Get $10 Cashback Now