Tuesday, February 28, 2017

Security advisory: Update Umbraco Forms immediately

March 1st 2017

Impact: High, requires immediate action. This advisory is the result of a private penetration test, we have no reports that the bug is being exploited.

You need to update Forms now:

Your site will need to be updated if you have installed Forms. 

Umbraco Cloud has been automatically updated and Contour (the predecessor to Umbraco Forms) is not affected.

How to update?

If you are uncertain about how to update Forms, we recommend that you get in touch with the person / agency that built your Umbraco site and let them help you. It is an easy fix, but we only recommend experienced Umbraco users to do the update.

Manual

If you are NOT using NuGet then you need to copy the new version of Umbraco.Forms.Core.Providers.dll into the bin folder of your website.

There's two versions of this library:

  1. Umbraco.Forms.Core.Providers.dll - compatible with Umbraco Forms versions LOWER than 4.3.0
  2. Umbraco.Forms.Core.Providers.dll - compatible with Umbraco Forms versions from 4.3.0 up to and including 4.4.1

This dll is fully backwards compatible so you don't need to worry about breaking anything.

If you don't know what version of Forms you're running click on "Forms" in the backoffice menu bar to the left and right under "Dashboard" your current Forms version is listed:

Forms

 

 

You can also find your current version by looking in the version file here: ~/App_Plugins/UmbracoForms/version 

 

If you're not already using the latest version of Forms we recommend you take this opportunity to update your Umbraco Forms installation to the latest version wherein the fix has been added: Forms 4.4.2.

 

NuGet

If you ARE using NuGet then the following instructions apply. Run the following command in your Package Manager Console in Visual Studio:

Update-Package UmbracoForms

Alternatively you can use the NuGet UI to search for the Umbraco Forms package and update it to the latest version.

Automatic update

When you go to the Umbraco Forms section in the backoffice, Forms might offer to automatically update itself, you can also use this to secure your installation. 

Questions?

If you have additional questions not covered in this blog post please use the forum post on Our Umbraco dedicated to this topic. You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.

Details about the issue

Summary: All Umbraco Forms versions contain a critical security flaw

Fix: Replace a single assembly file or run a NuGet update command. Completely backwards compatible.

The newly discovered vulnerability is no longer present in version 4.4.2 of Umbraco Forms and we advise you to make sure that you are using at least version 4.4.1.

We want to thank Jeffrey Schoemaker from Perplex Internet for responsibly disclosing this issue with us.

 


We apologize for the inconvenience. Security issues are of the highest priority for us as we recognize that the trust in Umbraco depends heavily on this.

If you want to know more about how we handle security in Umbraco, you can read more about Umbraco Security here.

Related Story

New Umbraco Training Course

Together with our Gold Partner The Cogworks, we are thrilled to announce a brand new official Umbraco Course: Searching and Indexing with Examine. A course that will teach you how to optimise the search function on your website, making it a breeze for your visitors to find relevant content. As the founding father of this course, Ismail Mayat will tell you all about it including the skills you’ll gain and how to sign-up:

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers send directly to your inbox

Are you sure, that's your real e-mail?