Tuesday, March 1, 2016

Major security vulnerability patched in Umbraco versions 4.50 through 4.7.1.1

We have been alerted of a major security issue in Umbraco versions released before 2012, if you're still running Umbraco sites that are of versions between 4.5.0 and 4.7.1.1 you need to update your site today with the patches provided below.

Please refer to the table below, the new version of umbraco.dll is listed here for each affected version of Umbraco, including a download link.

Umbraco versionnew umbraco.dll assembly version
4.5.01.0.5904.24845
4.5.11.0.5904.24629
4.5.21.0.5904.25028
4.6.01.0.5904.25578
4.6.11.0.5904.26133
4.7.01.0.5904.26466
4.7.1not available*
4.7.1.11.0.5904.26907


* Unfortunately a patch for 4.7.1 is absent, this is because to we have been unable to reconstruct at which point 4.7.1 was actually built, so we can not issue a patch for this version.
The advise for 4.7.1 is to delete ~/umbraco/webservices/templates.asmx. Deleting this file will only impact the insertion of snippets in templates, editing of templates will still work just fine.

How to apply the fix?

  • Make a backup of your Umbraco installations "bin" folder, please do not forget this
  • Download the zip file from the list above that matches your Umbraco version
  • After downloading it, right-click the file, go to properties and click the "unblock" button (this is very important!)
  • You've made a backup of the bin folder, right?
  • Then simply copy the updated file(s) from the zip file into your Umbraco site's bin folder, overwriting the existing files

Custom Umbraco build or not able to patch?

If you're not able to patch your installation or if you run a modified version of Umbraco - if you have modified the source of Umbraco and built your own version - we recommend that you setup a firewall to protect against external calls to /umbraco. You can see if you run a custom build of Umbraco by comparing your assembly version with the one in the table below. If the dll is of the below version numbers then you can safely overwrite the current version with the patched version (after making a backup, of course).

Also, if you are running a custom build of any of the Umbraco versions listed above and need advise on how to update your build to be safe then please e-mail us so we can provide you with that specific information.

Previous security problems

Below is a list of security issues that we've fixed before, if you want to review your sites for potential issues. The download links in the older posts contain the links to these updated patch files.

Questions

Again, if you have any questions, please e-mail us so we can provide you with appropriate information.

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers send directly to your inbox

Are you sure, that's your real e-mail?