Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

AI OnAI Off
Eric
Eric
Aug 22, 2011
  5820
(3 votes)

Trying to upgrading to CMS 6 R2 and getting: You are not authorized to access /PageFiles/!?

We made an upgrade of a project last week. Everything started on my computer but my collegues could not get their websites to work. And we got this strange message about not having access to /PageFiles/:

Server Error in '/' Application.
You are not authorized to access /PageFiles/
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
 
Exception Details: System.UnauthorizedAccessException: You are not authorized to access /PageFiles/
 
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
 
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
 
Source Error:
 
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
 
Stack Trace:
 
[UnauthorizedAccessException: You are not authorized to access /PageFiles/]
   EPiServer.Web.Hosting.VirtualPathVersioningProvider.GetDirectory(String virtualPath) +547
   EPiServer.Web.Hosting.VirtualPathHandler.InitializeProviders(ProviderSettingsCollection providers, Boolean captureCustomExceptions) +1798
   EPiServer.Web.InitializationModule.InitializeVirtualPathProviders(VirtualPathElement vpElement) +171
   EPiServer.Web.InitializeEngine.Initialize() +516
   EPiServer.Web.InitializationModule.Initialize(EPiServerSection config, Settings settings, ConnectionStringSettingsCollection connectionStringSettings) +2150
   EPiServer.Web.InitializeEngine.Initialize() +516
   EPiServer.Web.InitializationModule.StaticInitialization() +1494
   EPiServer.Web.InitializationModule.Initialize(InitializationEngine context) +46
   EPiServer.Framework.Initialization.InitializationEngine.InitializeModules() +647
   EPiServer.Framework.Initialization.InitializationEngine.Initialize(HostType hostType) +115
   EPiServer.Framework.Initialization.InitializationModule.Initialize(HostType hostType) +199
   EPiServer.Framework.Initialization.InitializationModule.FrameworkInitialization(HostType hostType) +64
   EPiServer.Framework.Initialization.InitializationModule.Application_BeginRequest(Object sender, EventArgs e) +46
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270
 
 
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.225

The solution is very simple. Ler Just remember that you have files in a episerverinstallation that you might not have included in your projectfile. Make sure these files also are updated in your source control environment. In this case we forgot to add a new EPiServerFramework.config. In CMS 6 R2 EPiServer adds a new section to this file:

<virtualRoles replacePrincipal="true">
  <providers>
    <add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer" />
    <add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer" />
    <add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer" />
    <add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer" />
    <add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer" />
    <add roles="WebAdmins, Administrators" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer" />
    <add roles="WebEditors" mode="Any" name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer" />
  </providers>
</virtualRoles>

Make sure this is there otherwise your solution will not start and your /PageFiles/ will get a access denied error. Ler

Aug 22, 2011

Comments

Nov 22, 2011 11:57 AM

Thank you very much. This helped me today when upgrading.
Regards Hans

Dec 16, 2011 03:54 PM

Tack för den Eric!

Please login to comment.
Latest blogs
Join the Work Smarter Webinar: Working with the Power of Configured Commerce (B2B) Customer Segmentation December 7th

Join this webinar and learn about customer segmentation – how to best utilize it, how to use personalization to differentiate segmentation and how...

Karen McDougall | Dec 1, 2023

Getting Started with Optimizely SaaS Core and Next.js Integration: Creating Content Pages

The blog post discusses the creation of additional page types with Next.js and Optimizely SaaS Core. It provides a step-by-step guide on how to...

Francisco Quintanilla | Dec 1, 2023 | Syndicated blog

Stop Managing Humans in Your CMS

Too many times, a content management system becomes a people management system. Meaning, an organization uses the CMS to manage all the information...

Deane Barker | Nov 30, 2023

A day in the life of an Optimizely Developer - Optimizely CMS 12: The advantages and considerations when exploring an upgrade

GRAHAM CARR - LEAD .NET DEVELOPER, 28 Nov 2023 In 2022, Optimizely released CMS 12 as part of its ongoing evolution of the platform to help provide...

Graham Carr | Nov 28, 2023

See all blogs