If you are uncertain about how to handle this advisory, reach out to your technical contact for your Umbraco site and provide them with a link to this blog post and they will be able to take the necessary precautions.
Impact
Versions affected: Umbraco version 7.0 - 7.14
Classification: Low severity
This vulnerability is related to the third-party plugin Miniprofiler and exposes data to unauthenticated website visitors. This data is contained in the profiling information available for your website. This includes SQL query data and possibly member's email data.
This vulnerability in itself does not open up your site to any known exploitable scenarios. It does, however, leak debug information about your site, which could lead to the discovery of other potential issues or leak personal data.
Patches
If you have affected sites on Umbraco Cloud, these will be automatically patched today (December 10th, 2019) thus, no further action is needed from you.
If your project is not on Umbraco Cloud, you need to upgrade your Umbraco installation manually to get the fix for the vulnerability.
Link to download versions:
7.14.1
7.13.3
7.12.5
7.11.3
7.10.6
7.9.7
7.8.4
7.7.14
7.6.14
7.5.15
7.4.4
7.3.9
7.2.9
7.1.10
For sites running Umbraco 7.0.x we urge you to upgrade to at least 7.1, or use the workaround.
Projects on Umbraco 8 are not affected by this vulnerability.
Workarounds
If you are not able to upgrade your project, a simple workaround would be to ensure that the route exposing the profiling information is not accessible. You can do this either by ensuring the route path is blocked directly in your web server or alternatively by making use of URL Rewrite Rules in your site. Using this workaround will however completely disable the MiniProfiler profiling options, even though your site is in debug mode. Because of this, we recommend that you upgrade your site with the available patch, and only use the workaround as a last resort.
Example of a blocking rewrite rule:
<rewrite>
<rules>
<rule name="Block MiniProfiler" stopProcessing="true">
<match url="^mini-profiler-resources" ignoreCase="true" />
<action type="AbortRequest" />
</rule>
</rules>
</rewrite>
URL Rewrite Module Configuration Reference: https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-configuration-reference
Detailed Explanation
The MiniProfiler plugin, used for performance profiling and debugging, records database calls and rendering information. Profiling information is exposed via specific routes and query string parameters for debugging purposes. This information should only be available when Umbraco is in debug mode (compilation mode debug=true is set in web.config).
Unfortunately, it has been reported that results may still be recorded and accessed even when the site is not in debug mode, exposing server name, Umbraco version and potential vulnerable information in SQL calls to unauthenticated users.
The fix explained
We have addressed this by ensuring MiniProfiler routes are de-registered when Umbraco is not running in debug mode.
Credits
The issue was originally reported by Dallas Taylor from Multimedia Solutions Corp.
For additional insights and testing we’d also like to thank:
Jeffrey Schoemaker from Perplex
Ronald Barendse from Panorama Studios
For more information
If you have any questions or comments about this advisory, make sure to get in touch with us through our dedicated security email address as listed on https://umbraco.com/security.
