We have been alerted of a major security issue in Umbraco versions released before 2012, if you're still running Umbraco sites that are of versions between 4.5.0 and 4.7.1.1 you need to update your site today with the patches provided below.
Please refer to the table below, the new version of umbraco.dll is listed here for each affected version of Umbraco, including a download link.
| Umbraco version | new umbraco.dll assembly version |
| 4.5.0 | 1.0.5904.24845 |
| 4.5.1 | 1.0.5904.24629 |
| 4.5.2 | 1.0.5904.25028 |
| 4.6.0 | 1.0.5904.25578 |
| 4.6.1 | 1.0.5904.26133 |
| 4.7.0 | 1.0.5904.26466 |
| 4.7.1 | not available* |
| 4.7.1.1 | 1.0.5904.26907 |
* Unfortunately a patch for 4.7.1 is absent, this is because to we have been unable to reconstruct at which point 4.7.1 was actually built, so we can not issue a patch for this version.
The advise for 4.7.1 is to delete ~/umbraco/webservices/templates.asmx. Deleting this file will only impact the insertion of snippets in templates, editing of templates will still work just fine.
How to apply the fix?
- Make a backup of your Umbraco installations "bin" folder, please do not forget this
- Download the zip file from the list above that matches your Umbraco version
- After downloading it, right-click the file, go to properties and click the "unblock" button (this is very important!)
- You've made a backup of the bin folder, right?
- Then simply copy the updated file(s) from the zip file into your Umbraco site's bin folder, overwriting the existing files
Custom Umbraco build or not able to patch?
If you're not able to patch your installation or if you run a modified version of Umbraco - if you have modified the source of Umbraco and built your own version - we recommend that you setup a firewall to protect against external calls to /umbraco. You can see if you run a custom build of Umbraco by comparing your assembly version with the one in the table below. If the dll is of the below version numbers then you can safely overwrite the current version with the patched version (after making a backup, of course).
Also, if you are running a custom build of any of the Umbraco versions listed above and need advise on how to update your build to be safe then please e-mail us so we can provide you with that specific information.
Previous security problems
Below is a list of security issues that we've fixed before, if you want to review your sites for potential issues. The download links in the older posts contain the links to these updated patch files.
- February 5, 2015 - Security alert - Update ClientDependency immediately
- July 21, 2014 - Security issues found in Umbraco 4, 6 and 7
- May 23, 2014 - Security update - one more major issue fixed in 4.7.0 through 4.7.1.1
- May 1, 2013 - Security update - two major vulnerabilities found
- April 29, 2013 - Security vulnerability found - immediate action recommended
- November 14, 2012 - Details of security issue in 4.10
Questions
Again, if you have any questions, please e-mail us so we can provide you with appropriate information.