A wrong grasp of security

Lately, I’ve started using Sitefinity CMS (A cool .NET CMS system by Telerik, a bit expensive though). Anyway, like many other CMS providers, they have their own marketplace where you can buy modules and widgets for your CMS.

I was interested in one of the widgets that was developed by a third-party company (In order to prevent abuse, the name of the company won’t be mentioned). I was glad to find out that they provide the widget for free, so I’ve just download it and installed it in my development environment. As I restarted the CMS and tried to use the widget, I discovered something my mom used to say to me as a child “There are no free gifts”. And of course, under the widget there was a copyright notice indicating this is a free version and links to the company’s site where you can buy the product without this advertisement.

Now, just to make it clear, If I’ll be using this product, I will buy it. But still, I wanted to look around see how hard will it be to remove this annoying advertisement. Sitefinity is written in .NET, So this widget as well was written in .NET. Meaning: Reflector can be a great help. And it was. I’ve analysed the provided DLL with reflector and was amazed when I’ve dound the BrandLicense class inside the DLL.

This class contains static method named ValidatedLicense which looks more or less like the following:

public static bool ValidatedLicense(/* ... */){
 // ...
 return (ConfigurationManager.AppSettings["WidgetName.License"] == "12345678901234567890123456789012");
 //...
}

The license key and appsetting key was modified, At least the key is not that easy.

So, basically the first thing I’ve tried was to add to my web.configĀ the following lines:

<appSettings>
 <add key="WidgetName.License" value="12345678901234567890123456789012"/>
</appSettings>

And as I’ve restarted the CMS and looked at the place the widget was located, I found out the advertisement was gone.

I’ve sent an email to the company who created this widget telling them how easy it was to crack it and that they will probably want to use asymmetric encryption in order to store the key, And also they should at least try to obfuscate the code so it won’t be that easy. I’m hoping they will fix it soon.

This site is hosted by:

Leave a Reply