Security Patch for Umbraco Forms is now available

Update: The reporter has published a blog post with details on the issue on August 25th, 2021

Note: The post has been up to include the latest patch versions for Umbraco Forms 4 and 6

If you are uncertain about how to handle this advisory, reach out to your technical contact/web agency for your Umbraco site and provide them with a link to this blog post and they will be able to take the necessary actions.

Who’s affected?

As we mentioned in the Security Advisory published on July 15th, the following versions of Umbraco Forms are affected:

All versions of Umbraco Forms v4.0.0 and up are affected by this vulnerability.

Specifically, the vulnerability applies only to forms that contain an upload field. Therefore we recommend that you prioritize patching sites that have an upload field on forms. 

Identifying forms with an upload field can be tricky, especially on sites with a larger number of forms. You can do one of the following test whether any forms are using an upload field:

1. If your form definitions are stored in the database you can query for:
   

   SELECT * FROM [UFForms] WHERE [Definition] LIKE '%84a17cf8-b711-46a6-9840-0e4a072ad000%'
   

   Alternatively on older versions of Umbraco you should query the following: 

   SELECT * FROM [UFFields] WHERE [Fieldtype] = '84a17cf8-b711-46a6-9840-0e4a072ad000'

2. Or, if your form definitions are stored on disk, you can search App_Data\UmbracoForms\Data\forms\*.json for the string

   84a17cf8-b711-46a6-9840-0e4a072ad000 

   Note: If you're using a filesystem provider then look for forms definitions on the storage location you configured.

If neither of those give you results then there is no upload field on any forms at this moment. Remember that anybody who has access to the forms section in Umbraco could add an upload field at any time, so it is still important to patch sites that don’t currently have upload fields.

Thus, all sites should have the recommended patch implemented as soon as possible.

What about Contour?

We’ve had some questions about Contour, the predecessor to Umbraco Forms, after publishing the heads-up post last week. We’ve identified that it is also vulnerable to the remote code execution bug, but not the arbitrary file deletion bug.

Contour version 3 was released in 2012 and therefore no longer considered under long term support, in fact it is end-of-life. However, since we have had a few requests for security patches, we’ve decided to also release a patch for Contour, which is version 3.0.32.

Automatic fix on Umbraco Cloud, Uno & Heartcore

All projects on Umbraco Cloud will be automatically patched today (July 20th, 2021 between 7 AM - 9 PM UTC). 

All Umbraco Cloud projects are being patched to the applicable patch release of Umbraco Forms. This also means that from today, all new projects created on Umbraco Cloud will automatically have the security fix implemented.

No action is needed for Umbraco Cloud users unless you have created custom themes for your forms in which case you might need to update your theme files.

Umbraco Uno and Umbraco Heartcore are also automatically updated and protected.

Updating manually outside of Umbraco Cloud

There are several ways to update your sites outside of Umbraco Cloud depending on what is applicable for your setup. You can update manually, through NuGet or by updating to the latest version of Umbraco Forms.

Which version of Umbraco Forms to upgrade to

We recommend upgrading to the latest patch release of the current minor version of Umbraco Forms you’re using. This ensures that you will not suddenly get new features or breaking changes that you were not prepared for. 

In order to find the file that applies to your current Forms install, find the version number in the Umbraco backoffice by going to the Forms section, the dashboard should show you the current version:

In the example above, we have Forms version 8.7.3 installed, so we find the newest patch release for the minor version 8.7 - this is version 8.7.6.

If, for example, you are using version 7.4.1, you would want to upgrade to the latest patch release for the minor version 7.4 - this version 7.4.3, and so on. 

This is a list of minor versions and which version we recommend you upgrade to:

If you are using any Umbraco Forms version 4, you will need to update to the latest version 4.4.9 (updated).

For Umbraco Contour, you will need to update to the latest version 3.0.32. 

Manual update

All the new Umbraco Forms patch releases are available to download from Our Umbraco. 

In the list of files at the bottom of the package page on Our Umbraco, you will find zip files to download that are named “UmbracoForms.Files.x.y.z.zip”. You’re looking for the applicable version to upgrade to in the list above. 

Once downloaded, unzip all the files in “UmbracoForms.File.x.y.z.zip“ into the root directory of your website, overwriting everything except for “~\App_Plugins\UmbracoForms\UmbracoForms.config”. You will want to keep your configuration the same.

If your "UmbracoForms.config" has a version number in it, now would be a good time to update it to the version you’re upgrading to. If there's a version file in "~/App_Plugins\UmbracoForms" then that should also contain the new version number.

We always recommend that you test first on a local copy of the site before you update a live site.

Umbraco Contour

The Umbraco Contour patch release is also available from Our Umbraco and follows the same procedure as above, download “UmbracoContour.files.3.0.32.zip” and overwrite all the files except for  “~\umbraco\plugins\umbracoContour\UmbracoContour.config”. You will want to keep your configuration the same.

If your UmbracoContour.config has a version number in it, now would be a good time to update it to the version you’re upgrading to.

Update with NuGet

Run the following command in your Package Manager Console in Visual Studio:

Update-Package UmbracoForms -Version x.y.z

Where x.y.z is the applicable version number you found in the table above.

Alternatively, you can use the NuGet UI to search for the UmbracoForms package and update it to the applicable version using the version dropdown.

Umbraco Contour

Umbraco Contour is not available from NuGet. Make sure to follow the manual steps above.

Updating your custom themes

If you have custom themes make sure to update FieldType.FileUpload.cshtml in your themes with the updated lines:

@using Umbraco.Forms.Core.Providers.FieldTypes 

at the top and replace

var fileName = filePath.Split('/').Last(); 

with

var fileName = filePath.Split(new[] { FileUpload.EncryptedFilePathAndFileNameSeparator }, StringSplitOptions.None).Last();

Details about the security issue

In order to give everybody a fair chance at updating their sites and be safe, we have chosen not to share details on what exactly the security problem is.

In respect to others, and in order to keep as many sites safe as possible, we therefore also ask for your discretion if you choose to discuss this issue publicly. 

The exact details of the security issue and fix will be released in 4 weeks. We recommend you upgrade your sites before then.

Update: The reporter has published a blog post with details on the issue on August 25th, 2021

Credit

The issue was discovered and reported by Gary O’Leary-Steele from AppCheck. We would like to thank Gary and AppCheck for their discretion in reporting the issue and help in confirming that it will be addressed correctly with the patches. Furthermore, it is worth highlighting the speed with which they have responded to questions and their help in planning the timeline for rollout and communication. 

Any questions?

If you have additional questions not covered in this blog post please use the forum post on Our Umbraco dedicated to this topic. You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.