March 1st 2017
Impact: High, requires immediate action. This advisory is the result of a private penetration test, we have no reports that the bug is being exploited.
You need to update Forms now:
Your site will need to be updated if you have installed Forms.
Umbraco Cloud has been automatically updated and Contour (the predecessor to Umbraco Forms) is not affected.
How to update?
If you are uncertain about how to update Forms, we recommend that you get in touch with the person / agency that built your Umbraco site and let them help you. It is an easy fix, but we only recommend experienced Umbraco users to do the update.
Manual
If you are NOT using NuGet then you need to copy the new version of Umbraco.Forms.Core.Providers.dll into the bin folder of your website.
There's two versions of this library:
- Umbraco.Forms.Core.Providers.dll - compatible with Umbraco Forms versions LOWER than 4.3.0
- Umbraco.Forms.Core.Providers.dll - compatible with Umbraco Forms versions from 4.3.0 up to and including 4.4.1
This dll is fully backwards compatible so you don't need to worry about breaking anything.
If you don't know what version of Forms you're running click on "Forms" in the backoffice menu bar to the left and right under "Dashboard" your current Forms version is listed:
You can also find your current version by looking in the version file here: ~/App_Plugins/UmbracoForms/version
If you're not already using the latest version of Forms we recommend you take this opportunity to update your Umbraco Forms installation to the latest version wherein the fix has been added: Forms 4.4.2.
NuGet
If you ARE using NuGet then the following instructions apply. Run the following command in your Package Manager Console in Visual Studio:
Update-Package UmbracoForms
Alternatively you can use the NuGet UI to search for the Umbraco Forms package and update it to the latest version.
Automatic update
When you go to the Umbraco Forms section in the backoffice, Forms might offer to automatically update itself, you can also use this to secure your installation.
Questions?
If you have additional questions not covered in this blog post please use the forum post on Our Umbraco dedicated to this topic. You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.
Details about the issue
Summary: All Umbraco Forms versions contain a critical security flaw
Fix: Replace a single assembly file or run a NuGet update command. Completely backwards compatible.
The newly discovered vulnerability is no longer present in version 4.4.2 of Umbraco Forms and we advise you to make sure that you are using at least version 4.4.1.
We want to thank Jeffrey Schoemaker from Perplex Internet for responsibly disclosing this issue with us.
We apologize for the inconvenience. Security issues are of the highest priority for us as we recognize that the trust in Umbraco depends heavily on this.
If you want to know more about how we handle security in Umbraco, you can read more about Umbraco Security here.