Sitefinity CMS and Jodo hopeless support and the MS URL Scanner

Dennis

Guppy
I have an issue which has not been resolved for over 3 months and I am fed up. I wonder if anyone else have had issues with the cause which seems to be caused by the server software URL Scanner.

The latest problem was first logged September 4th after a server upgrade which caused a random 404 error on a Sitefinity powered web site. The reply to the 404 error was "It is not possible to say anything without replicating the issue at our end". How can I reproduce a random error?

My client continued to have problems but I could not reproduce the error to an extent required by the support staff. I posted a new ticket on 11 October regarding a 503 error and while the 503 error was fixed promptly the 404 still continued and I mentioned it again. The 404 error was ignored until a responded and got the canned answer "If you provide me login details to get login and steps to replicate the error at our end ." It was a random error! but I still provided login details and they claimed they had looked at it for 25min without a problem.

For nearly two months this has continued and the client was not able to update the site. Finally on November 21st I realised that the problem happened when the client was trying to edit a content area control on a CMS page and the return url was a query string.

Since then the support staff have admitted after checking logs that the errors are due to the installation of some software URL Scanner "is one of the security product from Microsoft which helps securing the IIS web-server.". It took over three months to trace the issue! They now claim that the site CMS is vulnerable to SQL injection. If it was, a hacker would need the login details first so therefore the argument is mute as a hacker could do a lot worse with the CMS admin login. Since then there has also been a 504 error which caused the site to fail.

Over a year ago I installed Sitefinity which is a CMS that comes from a reputable company and only now Jodohost has decided to disable functionality of this CMS without warning because of potential SQL injection. The version the sites are running is 3.7SP4 which dates to 2010 but is still widely used. I have about 7 sites running on Sitefinity which are potentially useless and can not be updated. There has been no practical help from the Jodohost support staff just excuses while my client complains and I do extra work. I can not ask the clients to spend $2000USD + migration costs to upgrade the CMS to the latest version and Jodohost just does nothing to solve the the problem!

Has anyone else had a similar issue or a solution apart from finding another host or asking clients to spend a lot of money to fix it.

Thanks for any help or support.
 
I've addressed this in the other thread, and we don't just decide' to do anything, it is a process, and we've been running the same rules for a long time now. Furthermore we are working to address it, both Pratik and myself have been and are working on ways to make this work for you completely while still protecting the others and the app.
 
A friend of mine, who is also a web developer, has a client with an old version of Joomla running on their hosting provider (not Jodo, a provider here in Aus).

The situation is similar - the site gets constantly hacked because it's an outdated version of Joomla. The hosting provider then shuts down the site - with ZERO warning - as it's their policy to do so if a site is compromised by malware.

Keep in mind that hosting providers' servers can also get blacklisted if sites are compromised, so they have little choice in the matter. Running outdated versions of CMS software affects not just one site, but other sites and the hosting providers themselves.

My friend says, "but they don't want to pay for my time to upgrade to new versions every other month!"

My reply is simply "well they're a bad client then, and you should think about letting them go."

If a client is using CMS software, it's their responsibility to keep it up to date - either themselves, or paying you as a professional to do it for them. They need to understand it's just how things work, and there is no other option.

Just my 2c. :)
 
That's a good idea, but doesn't always work out. I tell all my clients that if they want me to look after their CMS it's likely to cost them 3-4 hours a year to keep it updated at a minimum. Some say 'fine' and pay their bills, but some either let it go or say they'll do it themselves, but never do. I can make their hosting dependent on keeping it updated, but that means I need to continually check their status for free, and blow away paying clients if they don't understand. As I'm sharing hosting with 2-300 other sites on any server in any case, it's a losing battle. We can't depend on web designers or clients keeping CMSs updated, and it will eventually become a problem. Shared hosting is a crap-shoot. If it's an important site, it's just not going to work long-term unless they're willing to pay for it.
 
True. Personally I don't even bother with offering a hosting-only solution. The trick is to value-add. I develop sites for clients with special requirements - stuff that needs specialised development work.

Then I charge them a monthly fee which does cover my time making sure their sites are ok. Less sites, but higher fees. Only way to go in my opinion. :)
 
I know this post is old now but I just haven't had time to reply. I wanted to finish it off by saying that to Jodo's credit they finally sorted this error about the time of these posts.

Many of my clients only need to spend 3-4 hrs a year on site updates. To upgrade the CMS would cost $2000+installation and just don't have that budget. I also don't think I should just let them go as the work suits me. I make my part time income on a few hours for each client and don't have the time to do anymore anyway.

If the client was using a CMS that had a serious security flaw then ok, they need to do something. But this was not the case and Jodo did not tell my that. The way the CMS wrote URLs looked similar to SQL injection (or something like that) and therefore was blocked. Sounds similar to having ligit email from a mailing list caught in the spam filter. Just add it to the white list and it will be fine instead of refusing that email.

I didn't cause the problem, the CMS didn't cause the problem and my client didn't cause the error. But we had the most inconvenience and cost. MS URL Scanner caused the error when Jodo changed the server settings and installed it. It took way to long to add an exception to this site and resolve the problem. In the end the client was investigated by the commerce commission for false advertising as their advertised price list was incorrect. It just took too long to resolve and I thought the Jodo support was not good enough. I just wondered if anyone else had this same issue but obviously not.
 
My take is this: If the CMS is creating URLs that look like a hack and the security protocols of the host are stopping what appears to be a hack, then there's an issue with the CMS.

It's the responsibility of the host to work with the reseller/developer/tech guy to see if there is a solution that will NOT comprise security.

It's the responsibility of the reseller/developer/tech guy to explain things to the customer and patiently work with the host to see IF the issue with the CMS can be resolved with NO compromise to security.

If the CMS won't fit, change the CMS. If the customer refuses to understand the primacy of security in today's environment, then let them host their site with myhackersdelighthosting.ru.

Seems to me that Jodohost went far and above the call of duty here. Kudos to them.
 
I do expect a bit more of these situations with people running really old versions of software and not wanting to upgrade, while we have to upgrade into supported OSes, and 2003 is ending in April. We've done a lot already but still more to come.
there is an unreasonable expectation that because someone worked one time it must continue working forever, which just isn't so, especially with new automation in attacks and exploits, it just gets to risky to keep the old stuff live anymore.
 
Back
Top