16683508582 2C86a1dcf0 H (13)

Security advisory: Update Umbraco Forms immediately

If you have installed Umbraco Forms, you need to update now. Contour is not affected and Umbraco Cloud customers have all been updated automatically thus, do not need to take any action.

Sebastiaan Author
Written by Sebastiaan Janssen

If you have installed Umbraco Forms, you need to update now | Contour is not affected and Umbraco Cloud customers have all been updated automatically

March 1st 2017

Impact: High, requires immediate action. This advisory is the result of a private penetration test, we have no reports that the bug is being exploited.

You need to update Forms now:

Your site will need to be updated if you have installed Forms. 

Umbraco Cloud has been automatically updated and Contour (the predecessor to Umbraco Forms) is not affected.

How to update?

If you are uncertain about how to update Forms, we recommend that you get in touch with the person / agency that built your Umbraco site and let them help you. It is an easy fix, but we only recommend experienced Umbraco users to do the update.

Manual

If you are NOT using NuGet then you need to copy the new version of Umbraco.Forms.Core.Providers.dll into the bin folder of your website.

There's two versions of this library:

  1. Umbraco.Forms.Core.Providers.dll - compatible with Umbraco Forms versions LOWER than 4.3.0
  2. Umbraco.Forms.Core.Providers.dll - compatible with Umbraco Forms versions from 4.3.0 up to and including 4.4.1

This dll is fully backwards compatible so you don't need to worry about breaking anything.

If you don't know what version of Forms you're running click on "Forms" in the backoffice menu bar to the left and right under "Dashboard" your current Forms version is listed:

You can also find your current version by looking in the version file here: ~/App_Plugins/UmbracoForms/version 

 

If you're not already using the latest version of Forms we recommend you take this opportunity to update your Umbraco Forms installation to the latest version wherein the fix has been added: Forms 4.4.2.

 

NuGet

If you ARE using NuGet then the following instructions apply. Run the following command in your Package Manager Console in Visual Studio:

Update-Package UmbracoForms

Alternatively you can use the NuGet UI to search for the Umbraco Forms package and update it to the latest version.

Automatic update

When you go to the Umbraco Forms section in the backoffice, Forms might offer to automatically update itself, you can also use this to secure your installation. 

Questions?

If you have additional questions not covered in this blog post please use the forum post on Our Umbraco dedicated to this topic. You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.

Details about the issue

Summary: All Umbraco Forms versions contain a critical security flaw

Fix: Replace a single assembly file or run a NuGet update command. Completely backwards compatible.

The newly discovered vulnerability is no longer present in version 4.4.2 of Umbraco Forms and we advise you to make sure that you are using at least version 4.4.1.

We want to thank Jeffrey Schoemaker from Perplex Internet for responsibly disclosing this issue with us.

 


We apologize for the inconvenience. Security issues are of the highest priority for us as we recognize that the trust in Umbraco depends heavily on this.

If you want to know more about how we handle security in Umbraco, you can read more about Umbraco Security here.

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advise, go ahead and ask the Umbraco community on Our.

Number of active installs
502567
Number of active members in the community
221745
Known free Umbraco packages available
1211

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox