20

Monday, September 20, 2010 by Administrator

This weekend a security flaw has been identified in Microsoft ASP.NET - the framework that Umbraco is based on. This will affect any Microsoft ASP.NET based application including any Umbraco installation as well as any other CMS that builds upon Microsoft ASP.NET.

This means that you have to take action to secure your site!

We've produced a guide that describes how to patch your installation and we've also produced an Umbraco package that will try to patch your installation automatically and if it can't it'll guide you how. You can find the package in the package repository under Developer tools and it's called "ASP.NET Security Vulnerability Patch":

vulnerabilitypatch

When you run the package, it'll show you a status on whether or not your website is vulnerable. If it is there's a big "Fix this problem" button to press:

Capture

We're seeding this information via the update checker, our mailing list and our twitter accounts but please help us spread the word. This speechbubble (yes, we'll need to work on the css on long messages!) will be shown to all administrators that log in to Umbraco over the next 14 days. It'll show even if you've patched your installation - unfortunately we don't have any way to prevent this as the patch isn't related to the Umbraco core:

speechbubble

The Panic Fund

We were able to make, test and distribute this patch because of our Panic Fund. In the HQ we have an account which makes it possible to book all HQ staff on core development for a week. We can use this fund in cases of emergencies like the this one. Despite the frustrating circumstances, it's just yet another example of why I'm proud of how we've managed to build the Umbraco HQ and why it makes the whole project sustainable.

Now stop reading and start patching!

For more details visit the project page for this patch.

For in-depth information on the ASP.NET security issue, visit Scott Guthries blog.