Update:
The version numbers for patched Umbraco versions between 4.5.0 and 4.7.1.1 will differ from the table below, please read about additional problems found in March 2016.
A few years ago we fixed a security issue in Umbraco 4.7.1 which we weren't aware could have more impact then we thought at the time.
One of our webservices allowed any unauthenticated user to upload a file of which we were under the impression that the file would only ever end up in the (now obsolete) Python folder and could therefore not do much harm, there was only a handful of people using the IronPython option anyway.
Fast forward 3 years later, we got a report today of an exploit where if you carefully construct a path outside of the Python folder, you could upload a file to any folder within your Umbraco site.
Any other versions of Umbraco are NOT affected by this vulnurability. 4.7.1.1 is also affected by another vulnerability though, read more in the follow-up post. The patches for the security issues found a year ago have also been applied to these files, so there's no chance of regressing to old security problems. Of course the downloads on the blog post from last year have also been updated with this fix so people landing on that old post will also get this newest fix included.
How to apply the fix?
- Make a backup of your Umbraco installations "bin" folder, please do not forget this
- Download the zip file from the list above that matches your Umbraco version
- After downloading it, right-click the file, go to properties and click the "unblock" button (this is very important!)
- You've made a backup of the bin folder, right?
- Then simply copy the updated files from the zip file into your Umbraco site's bin folder, overwriting the existing files
Custom Umbraco build or not able to patch?
If you're not able to patch your installation or if you run a modified version of Umbraco - if you have modified the source of Umbraco and built your own version - we recommend that you setup a firewall to protect against external calls to /umbraco. You can see if you run a custom build of Umbraco by comparing your assembly version with the one in the table below. If the dll is of the below version number then you can safely overwrite the current version with the patched version (after making a backup, of course). The second column shows the version of the dll after it was patched with last year's fix, so the dll can be either one of the two versions. If it is any other version then you're using a custom build and you should not use the patches listed above.
|
Umbraco version |
umbraco.dll |
patched umbraco.dll |
|
4.5.0 |
1.0.3827.19799 |
1.0.4868.29062 |
|
4.5.1 |
1.0.3858.40498 |
1.0.4868.28715 |
|
4.5.2 |
1.0.3891.20719 |
1.0.4868.28632 |
|
4.6.1 |
1.0.4029.25836 |
1.0.4868.28542 |
|
4.7.0 |
1.0.4090.38017 |
1.0.4868.25116 |
If you are running a custom build and want to rebuild it to include this fix, then apply the change listed on line 247 in the 4.7.1 source code. The change affects umbraco.dll only.
Additionally, if you have a custom build and have not applied last year's security fixes yet, you should also apply the following changes:
- Amend the templateService's update method (line 101)
- Amend the UltimatePickerAutoCompleteHandler's ProcessRequest medthod (line 28)