Yesterday we got informed that there' was an "Open
Redirect Vulnerability" issue in Umbraco 4. We fixed it this
morning. While we don't agree with the security consultants that
it's a major issue, we do our best to fix reported security issues
as fast as possible and have full disclosure.
Is this issue relevant for you?
The issue means that someone could make your editors click a
link (in an e-mail or on a 3rd party website) pointing to the back
office of your site, but then change where the editor would be
redirected afterwards if they login. This will require that you run
Umbraco with the back office fully open and that it's an active
editor that logins into the site. For instance:
http://yoursite.com/umbraco/?redir=http://myevilsite.com
Once your editor have authenticated, they'd be redirected to the
evil site. No data is shared with that evil site, but it could add
a fake Umbraco login page and try to fake your editor to submit
their credentials again. That way they could then jump to your
website and login. All this would require a number of ifs
and ifs, but the risk is real and may be important enough for you
to upgrade…
How to upgrade
In a hurry, you can go download the
4.7.1.478 nightly which contains the fix. If you're running
4.7.1.1, all you need to do is to overwrite the "/bin/umbraco.dll"
file. If running older versions, please refer to
the upgrade guide.
4.7.1.2 next week
We'll be releasing an official 4.7.1.2 early next week.
Umbraco 5
This issue is present in Umbraco 5 as well and will be fixed for
5.0.1.
Questions?
Feel free to submit questions in the comments.