If you are uncertain about how to handle this advisory, reach out to your technical contact for your Umbraco site and provide them with a link to this blog post and they will be able to take the necessary precautions.
Impact
Versions affected are:
- 6.2.0-6.2.6 (any v6 site since 6.2.0)
- 7.0.0-7.14.0 (any v7 site since 7.0.0 and lower than 7.15.0)
- 8.0.0-8.0.2 (any v8 site since 8.0.0 and lower than 8.1.0)
Any websites that are publicly available on the internet are impacted. Any sites that are not publicly available can still be impacted if there is a malicious actor within the network where the website is available.
This is classified as high severity.
Patches
This vulnerability is fixed in Umbraco 7.15.0 and 8.1.0.
Workarounds
If you can upgrade to v7.15.0 or v8.1.0, that would be the preferred way to fix this problem.
For anybody who can not upgrade or needs a quick fix, there's some code that can be added to App_Code or added to the custom code you put into your vulnerable sites.
As a fix, the code below is available. This code prevents anyone (also your own existing code!) from creating members through the vulnerable controller UmbRegisterController. If you are currently using UmbRegisterController to create members, please read the detailed explanation in the next section to see if you need to take action to rewrite some of your code.
Update: Jul 10, 9:23AM GMT+2 - Additionally, logged in members can update their own member profile with a simple POST request to UmbProfileController, so if you really do not want members to be able to update their information, that bypass is also fixed in the code linked below.
Detailed explanation
In version 6.2.0 of Umbraco we introduced some handy snippets for people to easily create a macro to be able to register new members in Umbraco. Conveniently you would not need to write your own code for this, just add a macro from a snippet and you're good to go.
This publicly exposed a controller (UmbRegisterController) with a predictable route. This allows anyone who knows this route to send a POST request to that route and register a member in your website.
Registering a member is not necessarily a big problem, unless you are (for example) running an intranet or put any other non-public data behind a login on your website. Suddenly people who have not been invited will be able to create an account.
Typically when exposing private data or privileged functionality to registered members of your site, you would require members to be in a certain Role (this is called a Member Group in Umbraco). The exposed UmbRegisterController does not provide a method to assign members to a Role / Member Group.
Please make sure that any data / functionality you do not want to be publicly available is properly secured by requiring members to be in a certain Role / Member Group.
The fix in v7.15.0 and v8.1.0 explained
In the fix for 7.15.0 and 8.1.0 we require a non-spoofable anti-forgery token to be POSTed when creating a member through this controller. This means that if there is no registration page, nobody can create a member. The registration page needs to use the BeginUmbracoForm method to POST the form to the server (which is what the macro snippet does by default).
Credits
We'd like to thank Ronald Barendse from Panorama Studios and Steven Harland from Intelligent Mobile for their responsible disclosure concerning this vulnerability.
For more information
If you have any questions or comments about this advisory, make sure to get in touch with us through our security email address as listed on https://umbraco.com/security.