16683508582 2C86a1dcf0 H (11)

Security Advisory - low severity

Concerning Umbraco version 7.0 - 7.14

Rune 1 (2)
Written by Rune Strand

We’ve discovered a low-severity data exposure vulnerability in a third-party plugin used in Umbraco 7. This is fixed in 7.15 and we’re now issuing patch releases for all previous version 7 minors to ensure all Umbraco sites can be patched. Umbraco Cloud projects affected by this will be patched automatically today and you do not need to take any action.

If you are uncertain about how to handle this advisory, reach out to your technical contact for your Umbraco site and provide them with a link to this blog post and they will be able to take the necessary precautions.

Impact

Versions affected: Umbraco version 7.0 - 7.14

Classification: Low severity

This vulnerability is related to the third-party plugin Miniprofiler and exposes data to unauthenticated website visitors. This data is contained in the profiling information available for your website. This includes SQL query data and possibly member's email data.

This vulnerability in itself does not open up your site to any known exploitable scenarios. It does, however, leak debug information about your site, which could lead to the discovery of other potential issues or leak personal data.

Patches

If you have affected sites on Umbraco Cloud, these will be automatically patched today (December 10th, 2019) thus, no further action is needed from you. 

If your project is not on Umbraco Cloud, you need to upgrade your Umbraco installation manually to get the fix for the vulnerability.  

Link to download versions:

7.14.1

7.13.3

7.12.5

7.11.3

7.10.6

7.9.7

7.8.4

7.7.14

7.6.14

7.5.15

7.4.4

7.3.9

7.2.9

7.1.10

For sites running Umbraco 7.0.x we urge you to upgrade to at least 7.1, or use the workaround.

Projects on Umbraco 8 are not affected by this vulnerability. 

Workarounds

If you are not able to upgrade your project, a simple workaround would be to ensure that the route exposing the profiling information is not accessible. You can do this either by ensuring the route path is blocked directly in your web server or alternatively by making use of URL Rewrite Rules in your site. Using this workaround will however completely disable the MiniProfiler profiling options, even though your site is in debug mode. Because of this, we recommend that you upgrade your site with the available patch, and only use the workaround as a last resort.

Example of a blocking rewrite rule:

 

    <rewrite>

      <rules>

        <rule name="Block MiniProfiler" stopProcessing="true">

          <match url="^mini-profiler-resources" ignoreCase="true" />

          <action type="AbortRequest" />

        </rule>

      </rules>

    </rewrite>

 

URL Rewrite Module Configuration Reference: https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-configuration-reference

Detailed Explanation

The MiniProfiler plugin, used for performance profiling and debugging, records database calls and rendering information. Profiling information is exposed via specific routes and query string parameters for debugging purposes. This information should only be available when Umbraco is in debug mode (compilation mode debug=true is set in web.config). 

Unfortunately, it has been reported that results may still be recorded and accessed even when the site is not in debug mode, exposing server name, Umbraco version and potential vulnerable information in SQL calls to unauthenticated users.

The fix explained

We have addressed this by ensuring MiniProfiler routes are de-registered when Umbraco is not running in debug mode.

Credits

The issue was originally reported by Dallas Taylor from Multimedia Solutions Corp.

For additional insights and testing we’d also like to thank: 

Jeffrey Schoemaker from Perplex

Ronald Barendse from Panorama Studios 

For more information

If you have any questions or comments about this advisory, make sure to get in touch with us through our dedicated security email address as listed on https://umbraco.com/security.

 

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advise, go ahead and ask the Umbraco community on Our.

Number of active installs
502567
Number of active members in the community
221745
Known free Umbraco packages available
1211

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox