Eric Shupps is the founder and President of BinaryWave, a leading provider of enterprise software solutions for SharePoint. Eric has worked with SharePoint Products and Technologies since 2001 as a consultant, administrator, architect, developer and trainer. He is a director of the Dallas/Ft. Worth SharePoint Community group and participating member of user groups throughout the United Kingdom.
ZDNet has posted an article describing a critical vulnerability in SharePoint Server 2010, 2013, 2016 & 2019 that is currently being exploited by hackers to gain access to farms exposed to the internet. This vulnerability allows attackers to run code in the context of the application pool or farm administrator account.
The Microsoft Security Bulletin associated with this issue is CVE-2019-0604. I would suggest immediate patching if you are not already at the requisite patch level (links to each KB article and CU are at the bottom of the security bulletin page). I have seen the results of this attack in compromised systems and can verify that it is extremely dangerous, including deployment of the China Chopper web shell that can execute remote commands via the web browser.
Systems affected include:
SharePoint Server 2010 SharePoint Server 2013 SharePoint Server 2016 SharePoint Server 2019
If you are looking for footprints to see if your systems have already been affected, scan your IIS virtual and SharePoint application directories for out of place files (usually with an .aspx extension). The exploits are carefully crafted to look like valid files and often have the modified dates changed so they don’t appear to be recent updates. For example, in the /_layouts directory, you may find what should normally be a .js file with a .aspx extension (sp.init.aspx instead of sp.init.js) or an .aspx/.html file in the /_vti_pvt virtual directory of a web application (there shouldn’t be anything other than .cnf files in that folder). The code is also extensively obfuscated – they’re pretty obvious once you know what you’re looking for. When in doubt, run a file diff against a test or development server that has no external exposure then analyze all the deltas. So far we haven’t seen any core files that have been modified, only new files added where they shouldn’t be. YMMV.
Don’t risk the integrity of your farms – go get those servers patched ASAP!
He also notes the ongoing issue with the SPFx Yeoman Generator command line that I blogged about previously. As this issue had not been resolved prior to release, we simply put some instructions into the configuration dialog so developers would know what steps to take after project generation is complete. Feel free to comment here or in the Github repo if you need additional clarification or assistance.
Paul and I will be delivering a session on Enterprise SPFx development at the upcoming SharePoint Conference in Las Vegas, May 21 – 23, 2019. Be sure to join us as we demonstrate the use of the extension in a complete, end-to-end ALM scenario with Azure DevOps and SharePoint Online (there may still be a few tickets available, use discount code SHUPPS or SCHAEFLEIN to save a few bucks on admission).
When we built the Visual Studio Extension for SharePoint Framework, we made a conscious decision not to try and replicate the behavior of the underlying Yeoman generator but rather to execute it silently in the background then take the results and put them into a properly structured VS solution. This has worked rather well (more than 11,000 downloads in the VS Marketplace to date), mostly because we can quickly refactor and facilitate changes to the product team makes to the generator as we are just placing a wrapper around the same commands developers can issue manually should they choose to do so.
In the v188.8.131.52 release, the product team normalized the parameter naming convention and introduced two new switches: –skip-feature-deployment and –is-domain-isolated. You probably know these better by the option labels of “Do you want to allow the tenant admin the choice of being able to deploy the solution to all sites immediately without running any feature deployment or adding apps in sites?” and “Will the components in the solution require permissions to access web APIs that are unique and not shared with other components in the tenant?”.
I opened a bug for that release when I discovered that the command-line switches only produce the desired result if the user wants the boolean value of true to be inserted into the package-solution.json file. Omitting the flags causes the user to be prompted by the generator, which violates the silent execution objective of the command line switches. Any values passed as a parameter to either switch will be inserted into package-solution.json as a string value.
However, omitting either switche causes the generator to prompt for input, which it should not do. Instead, it should insert a false value into package-solution.json. If, as the documentation suggests, a string value of “false” is added as a parameter, this is not parsed to produce a boolean result but rather inserted as a string. Take the following example:
The same is true of any string value, such as “false”, “n”, n, no, $false, or anything else – the value is simply converted to a string and the project fails to build because the gulp task is looking for a boolean value instead of a string. Not only is this the incorrect behavior and contrary to the official documentation but it also caused the VS Extension to produce incorrect results. This issue appeared to have been fixed in v184.108.40.206 so it was closed and we released an updated version of the extension in January of 2019 (even though the documentation was never updated to reflect their proper utilization as switches). Unfortunately, the problem seems to have reappeared in the v220.127.116.11 release of the generator. At present, it is not possible to scaffold a correctly-structured project that requires a false value to be set for either parameter without manually editing the package-solution.json file. As a workaround, run the commands with both switches included then edit the file and change them to false (or set the values to “false” and then simply remove the double-quotes around each value in the generated markup).
The issue has been raised again and we will document this in the interim v18.104.22.168 release of the extension. Hopefully, the product team will release a permanent fix so scaffolded projects can be built immediately after creation without manual intervention.
When: May 21st – 23rd, 2019
Where: Las Vegas, Nevada
SharePoint Conference is back!
SharePoint Conference North America returns to Las Vegas in 2019 – bigger and better than ever. With more than 150 speakers, over 200 sessions and 20 in-depth workshops, there will be content galore for power users, IT pros, developers, and everyone else who uses, administers, implements or customizes SharePoint and Office 365. Expect plenty of new announcements, updates on the latest features, demonstrations of soon-to-be-released capabilities, and – as always – great parties and network events. You really do NOT want to miss out on this event (if you need some help convincing your boss, they’ve even put together a professional letter you can download listing all the reasons you MUST go to Vegas next May!).
My fellow collaborator on the Visual Studio Extensions for SPFx project, Paul Schaeflein, and I will be presenting a joint session on using SharePoint Framework in the Enterprise, filled with techniques derived from working in the trenches with real-world customer scenarios. We’ll show you how to maximize your investments in existing tools and services while still taking advantage of all the cool new features in each release of the Framework, as well as tips and tricks for getting your development team up to speed and immediately productive.
C’mon, it’s Vegas, baby! You gotta be there!!! Need a little more incentive to jump over to the site right now and register? Ok, how about a discount to make it even more affordable? Use the code SHUPPS when registering to save $50. As we say in Texas, you can’t beat that with a stick!