Security issues found in Umbraco 4, 6 and 7

Monday, July 21, 2014 by Sebastiaan Janssen

As Umbraco becomes more popular, there's also more people hiring security specialists to analyze our source code for potential vulnerabilities. We applaud this, a fresh view on things can often reveal issues that have been overlooked so far.

Today we're publishing the results of 2 independent security audits that uncovered some issues that you need to be aware of and fix in your Umbraco installations.

Of course we're in the process of fixing these problems for future versions of Umbraco where necessary but many currently running live sites are affected and need updates immediately.

We advise you to update or remove the following files:

  • Update: umbraco\Developer\Packages\proxy.htm with the updated version found in this Github commit.
    Affected versions: all versions 4, 6 and 7
    Impact of updating this file: none.
  • Delete: umbraco\Dashboard\Swfs\AIRInstallBadge.swf
    Affected versions: 4.6.1 through 6.2.1 (v7 is not affected)
    Impact of deleting this file: you won't be able to install Desktop Media Uploader from the backoffice any more, it can still be installed by installing the umbraco\Dashboard\air\DesktopMediaUploader.air file.
  • Delete: Config\Splashes\booting.aspx
    Affected versions: all versions 4, 6 and 7
    Impact of deleting this file: you would only see the "booting" screen if your site takes more than 10 seconds in the phase where Umbraco is starting and cannot serve more than one request, removing this file gives a blank screen instead of the "booting" screen (hardly anybody will ever have seen this screen in the first place).
  • Delete: the install folder
    Affected versions: 4.9.0 through 6.1.6 (6.2.0+ and 7 are not affected)
    Impact of deleting this file: none - we've always advised to delete the install folder immediately after installing Umbraco and never to upload it to a live server.

Please take this advisory seriously and take immediate action to secure your running sites properly.

If you have any questions make sure to leave a comment and remember that this blog doesn't send notification e-mails so check back here to find the answer to your questions.

32 comment(s) for “Security issues found in Umbraco 4, 6 and 7”

  1. Gravatar ImageRyan Lewis Says:

    Here's a PowerShell script which will do all of the above.

    https://gist.github.com/ryanlewis/62bca92ec0f990e3b05c

  2. Gravatar ImageMike Says:

    Is it feasible for HQ to do an audit?

    Will you fix the security issue in the installer, or force deletion of the folder (e.g. always redirect to removal instructions as long as the install folder has not been deleted)?

    Thanks!

  3. Gravatar ImageAndy Says:

    We have our install linked to the latest Nuget package Umbraco-Cms 7.1.4 and this includes all these files, so even if we remove them from the site the next time we build/deploy it will replace them from the Nuget package. Is a new version going to be posted with these fixes?

  4. Gravatar ImageSebastiaan Janssen Says:

    @Andy I recommend you use a post build action, of course 7.1.5 will contain fixes for these problems.

  5. Gravatar ImageStephen Says:

    Are these "vulnerabilities" in the wild yet, or things you have found internally. Are you able to advise how they might effect current installations if they have been found by someone in the wild so we can we have not been effected by these "vulnerabilities".

    Thanks

  6. Gravatar ImageSebastiaan Janssen Says:

    @Stephen These are newly discovered problems and we have no report of them being exploited currently. You would definitely already know if they were being exploited on your sites.

  7. Gravatar ImageNiels Hartvig Says:

    @Stephen: They're a result of internal security audits and penetration tests by some of our customers, not something in the wild.

  8. Gravatar ImageEelco Says:

    I'd like to know in which way these vulnerabilities might affect a website if exploited. Could you provide some details on that?

  9. Gravatar ImageYann Says:

    Did your independent security audits mention anything about the password hashing?

    Thanks

  10. Gravatar ImageNiels Hartvig Says:

    @Eelco: At this point we don't disclose further information. We will once people have had a chance to update their sites.

  11. Gravatar ImageSebastiaan Janssen Says:

    @Eelco Not publicly at the moment

    @Yann Yes. But do note that the new membership providers in v6.2.0+ and 7.1.4+ provide better hashing.

  12. Gravatar ImagePaul Says:

    I would also like to know how a website is effected if exploited please. Where can you find this issue befor the pathes are applied. It will be good to understand.

    Thanks

    Paul

  13. Gravatar ImageSebastiaan Janssen Says:

    @Paul As said, you'd definitely know. These are brand new discoveries that are not exploited in the wild.

  14. Gravatar ImageArie Says:

    Shouldn't security warrant a dedicated topic area on the forum?

  15. Gravatar ImagePaul Says:

    Appoligies I must of posted the same time as you replied. Thanks for the response ;)

  16. Gravatar ImageMark Baillie Says:

    Is anyone else having uCommerce troubles after making these changes ?

  17. Gravatar ImageHua Chen Says:

    Not really understand the second action. So 'Desktop Media Uploader' is a Umbraco package, isn't it.

    Thanks,
    Hua

  18. Gravatar ImageSebastiaan Janssen Says:

    @Huo It was, and then it was built into the core in 4.6.1.

  19. Gravatar ImageTed Jardine Says:

    @RyanLewis many many thanks for the big time saver powershell script. Yes, it's simple, but was very convenient to just let it rip on multiple sites (after a careful review of course).

    Thanks for sharing!

  20. Gravatar ImageKevin Lawrence Says:

    I would be really interested to know what sort of test uncovered this, we have a security company carry out some pretty heavy penetration tests for our website and not a sniff of any of these issues highlighted above.

    This makes me question the effectiveness of our current tests.

  21. Gravatar ImageSjors Pals Says:

    @Kevin, we also had several heavy scans, but with normal pentests you will not find them, i think they found them by scanning the code, automatic software can detect unhandled user and url input.

  22. Gravatar ImageMedjeti Says:

    @Mark Baillie: What kind of uCommerce troubles are you experiencing?

    Anybody else notice any issues?

  23. Gravatar ImageHartvig Says:

    @kevin: There's been hundreds of pen tests of Umbraco and these haven't been found before. They do require a lot of work, though (both code and social engineering). But better safe than sorry.

  24. Gravatar ImageKevin Lawrence Says:

    @Sjors, @Neils: Just realised that we also lock our Umbraco url down by IP which is where most of the vulnerabilities reside, so with that in mind it makes sense.

    I guess code-scanning could pick this up, well done to whoever picked this up.

  25. Gravatar ImageSjors Pals Says:

    @Kevin, that might be not enough, if you know the url of the CMS you can construct an url that applies Cross Site Scripting or Cross Site Request Forgery. As an attacker you don't need access yourself to do harm.

  26. Gravatar ImageJoshua Stewart Says:

    It appears that the booting.aspx file gets recreated when you run the project in Visual Studio, so be aware that you may inadvertently put it back on your website when going from dev to staging or to your live server.

  27. Gravatar ImageSebastiaan Janssen Says:

    @Joshua Yes, if you're using NuGet then make sure to implement a post build action as I mentioned before.

  28. Gravatar ImageTuan Says:

    Hi,

    Where is Intall folder of Umbraco? I can found it in umbraco_client, but I am not sure it is that.?

    Thanks a lot
    Tuan

  29. Gravatar ImageSebastiaan Janssen Says:

    @Tuan The install folder is in the root of your site ~/Install - if you don't have it then it's been deleted already (good!).

  30. Gravatar ImagePauli Østerø Says:

    How hard can it be to release a 6.2.1.1 or 6.2.2 NuGet package?

    *sigh*

  31. Gravatar ImageJason Says:

    Does this impact 5.1? The message says all versions but doesn't mention 5.x.

  32. Gravatar ImageSebastiaan Janssen Says:

    @Jason No, v5 was a completely different codebase.

Leave a comment