Details of security issue in 4.10

Written by:

On Nov 14, 2012 we discovered a security flaw in the Umbraco 4.10.0 codebase which we released a patch for on the same day.

The security issue relates to a fix that was addressed in 4.10.0 regarding starter kit installation in which the application domain wasn't restarted properly during install which was causing unexpected results.  The fix applied uses a new REST service to install the starter kit packges but unfortunately this REST service wasn't properly secured and thus exposes this REST service as a public API. This meant that it may be possible for someone to remotely install a package or restart your application domain. 

We strongly urge everybody with a 4.10.0 site to upgrade to 4.10.1 as soon as possible. Versions OTHER than 4.10.0 are NOT affected at all, so you won't need to take any action for those. Please rest assured that this fix has been merged into the 4.11.0 branch so it will definitely not be an issue moving forward.

Again, our sincere apologies for the incovenience!

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advice, go ahead and ask on the community forums.

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox