If you are uncertain about how to handle this advisory, reach out to your technical contact/web agency for your Umbraco site and provide them with a link to this blog post and they will be able to take the necessary actions.
We worked with AppCheck and encouraged them to create a CVE for this issue. We agree with the assessment of the severity being a medium level security issue.
In our estimation, the number of sites hosted with a vulnerable configuration is very low, namely sites with an IIS server configured without any hostname bindings AND no value in umbracoApplicationUrl. Additionally, the attacker would also need to know the email address of one of your Umbraco users.
To make it clear:
- If there are only hostname bindings defined in IIS then there is no issue
- If the umbracoApplicationUrl is configured in Umbraco then there is no issue
- If you have disabled the password reset functionality or don’t have a valid SMTP configuration, there is no issue
Umbraco Cloud, Heartcore and Uno projects are not affected. This also goes for sites hosted on Azure Web App Service.
What can you do?
The following guidance is valid for all versions of Umbraco going back to version 7.
- If you have access to your IIS hostname bindings, then make sure to set up the domain name(s) that are valid for your website.
- If you don’t have access to IIS hostname bindings and you know that there are no bindings set then you can set the umbracoApplicationUrl.
- The umbracoApplicationUrl will be used in password reset emails
- If you are hosting sites on multiple domains this might not be your preferred method since the emails will all contain the configured application URL
- In that case, we recommend you get someone to help you setup IIS bindings
You can find documentation on how to configure the umbracoApplicationUrl here:
Alternatively, you can completely disable the forgotten password functionality completely by changing the AllowPasswordReset configuration setting from the default “true” to “false”. Documentation about that can be found here:
What are we doing?
Umbraco 9.2 and 8.18 contain a new security health check alerting you of a missing umbracoApplicationUrl.
We’ve been working on some additional fixes to the CMS for Umbraco 8 and 9 A partial fix went out in version 9.2. However, there are still edge cases that we need to work on.
Currently, we’re working on patch updates for Umbraco 8 and Umbraco 9 which might require breaking changes for the sake of keeping sites secure. This means that on some sites the “Forgot password” functionality will not be available anymore without additional configuration of Umbraco.
There will not be a patch update for Umbraco 7 since we haven’t classified this as a critical security problem. We recommend using one of the configurations listed above.
The issue was discovered and reported by Gary O’Leary-Steele from AppCheck. We would like to thank Gary and AppCheck for their discretion in reporting the issue and help in confirming that it will be addressed correctly with the patches. Furthermore, it is worth highlighting the speed with which they have responded to questions and their help in planning the timeline for rollout and communication.
If you have additional questions not covered in this blog post please use the forum post on Our Umbraco dedicated to this topic. You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.
If you want to get notified about security heads-up and advisories directly, sign up to the Umbraco Security mailing list.