Monday, September 20, 2010

IMPORTANT: Security hole in ASP.NET and how to secure your installation

This weekend a security flaw has been identified in Microsoft ASP.NET - the framework that Umbraco is based on. This will affect any Microsoft ASP.NET based application including any Umbraco installation as well as any other CMS that builds upon Microsoft ASP.NET.

This means that you have to take action to secure your site!

We've produced a guide that describes how to patch your installation and we've also produced an Umbraco package that will try to patch your installation automatically and if it can't it'll guide you how. You can find the package in the package repository under Developer tools and it's called "ASP.NET Security Vulnerability Patch":


When you run the package, it'll show you a status on whether or not your website is vulnerable. If it is there's a big "Fix this problem" button to press:


We're seeding this information via the update checker, our mailing list and our twitter accounts but please help us spread the word. This speechbubble (yes, we'll need to work on the css on long messages!) will be shown to all administrators that log in to Umbraco over the next 14 days. It'll show even if you've patched your installation - unfortunately we don't have any way to prevent this as the patch isn't related to the Umbraco core:


The Panic Fund

We were able to make, test and distribute this patch because of our Panic Fund. In the HQ we have an account which makes it possible to book all HQ staff on core development for a week. We can use this fund in cases of emergencies like the this one. Despite the frustrating circumstances, it's just yet another example of why I'm proud of how we've managed to build the Umbraco HQ and why it makes the whole project sustainable.

Now stop reading and start patching!

For more details visit the project page for this patch.

For in-depth information on the ASP.NET security issue, visit Scott Guthries blog.

If you don't know Umbraco, here are some numbers behind the world's friendliest CMS

One of the biggest benefits of using Umbraco is that the community is incredibly pro-active, extremely friendly and helpful.

Chances are that if you get an idea for something you would like to build in Umbraco, someone has already built it. So it is very likely that you can get good and friendly advice from someone from the Umbraco community on Our- just ask.

Number of active installs
Number of active members in the community
Known free Umbraco packages available

Want to be updated on everything Umbraco?

Be one of the first to know about special offers on our products and services. Get invitations to Umbraco events and festivals sent directly to your inbox.

All you need to do is get on our mailing list and soon you'll become a true Umbraco-know-it-all.

Sign up for Umbraco newsletters and offers

Are you sure, that's your real e-mail?