More stories
Share
Tuesday, February 28, 2017

Security advisory: Update Umbraco Forms immediately

March 1st 2017

Impact: High, requires immediate action. This advisory is the result of a private penetration test, we have no reports that the bug is being exploited.

You need to update Forms now:

Your site will need to be updated if you have installed Forms.

Umbraco Cloud has been automatically updated and Contour (the predecessor to Umbraco Forms) is not affected.

How to update?

If you are uncertain about how to update Forms, we recommend that you get in touch with the person / agency that built your Umbraco site and let them help you. It is an easy fix, but we only recommend experienced Umbraco users to do the update.

Manual

If you are NOT using NuGet then you need to copy the new version of Umbraco.Forms.Core.Providers.dll into the bin folder of your website.

There's two versions of this library:

  1. Umbraco.Forms.Core.Providers.dll - compatible with Umbraco Forms versions LOWER than 4.3.0
  2. Umbraco.Forms.Core.Providers.dll - compatible with Umbraco Forms versions from 4.3.0 up to and including 4.4.1

This dll is fully backwards compatible so you don't need to worry about breaking anything.

If you don't know what version of Forms you're running click on "Forms" in the backoffice menu bar to the left and right under "Dashboard" your current Forms version is listed:

Forms

You can also find your current version by looking in the version file here: ~/App_Plugins/UmbracoForms/version

If you're not already using the latest version of Forms we recommend you take this opportunity to update your Umbraco Forms installation to the latest version wherein the fix has been added: Forms 4.4.2.

NuGet

If you ARE using NuGet then the following instructions apply. Run the following command in your Package Manager Console in Visual Studio:

Update-Package UmbracoForms

Alternatively you can use the NuGet UI to search for the Umbraco Forms package and update it to the latest version.

Automatic update

When you go to the Umbraco Forms section in the backoffice, Forms might offer to automatically update itself, you can also use this to secure your installation.

Questions?

If you have additional questions not covered in this blog post please use the forum post on Our Umbraco dedicated to this topic. You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.

Details about the issue

Summary: All Umbraco Forms versions contain a critical security flaw

Fix: Replace a single assembly file or run a NuGet update command. Completely backwards compatible.

The newly discovered vulnerability is no longer present in version 4.4.2 of Umbraco Forms and we advise you to make sure that you are using at least version 4.4.1.

We want to thank Jeffrey Schoemaker from Perplex Internet for responsibly disclosing this issue with us.


We apologize for the inconvenience. Security issues are of the highest priority for us as we recognize that the trust in Umbraco depends heavily on this.

If you want to know more about how we handle security in Umbraco, you can read more about Umbraco Security here.

Related Story

Case story: Chateau de Fontaine

Chateau de Fontaine is a State of the art Stud Farm breeding the best horses in the world. Luxury, quality and elegance eccos throughout the business and are of course characteristics which should be reflected on their website. Chateau de Fontaine wanted a solution that could give them an elegant, custom made, logical and reliable website. A solution produced and designed by WebVision using Umbraco CMS and Umbraco Cloud.

If you don't know Umbraco, here are some numbers behind the world's friendliest CMS

One of the biggest benefits of using Umbraco is that the community is incredibly pro-active, extremely friendly and helpful.

Chances are that if you get an idea for something you would like to build in Umbraco, someone has already built it. So it is very likely that you can get good and friendly advice from someone from the Umbraco community on Our - just ask.

Number of active installs
443.450
Number of active members in the community
220.022
Known free Umbraco packages available
320

Want to be updated on everything Umbraco?

Be one of the first to know about special offers on our products and services. Get invitations to Umbraco events and festivals sent directly to your inbox.

All you need to do is get on our mailing list and soon you'll become a true Umbraco-know-it-all.

Sign up for our monthly newsletter

Are you sure, that's your real e-mail?