Umbraco
Book a discovery call
Book a discovery call
Umbraco

Security issues found in Umbraco 4, 6 and 7

As Umbraco becomes more popular, there's also more people hiring security specialists to analyze our source code for potential vulnerabilities. We applaud this, a fresh view on things can often reveal issues that have been overlooked so far.

Today we're publishing the results of 2 independent security audits that uncovered some issues that you need to be aware of and fix in your Umbraco installations.

Of course we're in the process of fixing these problems for future versions of Umbraco where necessary but many currently running live sites are affected and need updates immediately.

We advise you to update or remove the following files:

  • Update: umbraco\Developer\Packages\proxy.htm with the updated version found in this Github commit.
    Affected versions: all versions 4, 6 and 7
    Impact of updating this file: none.
    • Update: this was fixed for Umbraco versions between 6.2.2 and 6.2.6 - if you've ever upgraded from a lower version you have to check if the contents of the file are the same as the Github commit above.
    • Update: this was fixed for Umbraco version 7.1.5 and above - if you've ever upgraded from a lower version you have to check if the contents of the file are the same as the Github commit above.
  • Delete: umbraco\Dashboard\Swfs\AIRInstallBadge.swf
    Affected versions: 4.6.1 through 6.2.1 (v7 is not affected)
    Impact of deleting this file: you won't be able to install Desktop Media Uploader from the backoffice any more, it can still be installed by installing the umbraco\Dashboard\air\DesktopMediaUploader.air file.
  • Delete: Config\Splashes\booting.aspx
    Affected versions: all versions 4, 6 and 7
    Impact of deleting this file: you would only see the "booting" screen if your site takes more than 10 seconds in the phase where Umbraco is starting and cannot serve more than one request, removing this file gives a blank screen instead of the "booting" screen (hardly anybody will ever have seen this screen in the first place).
    • Update: if you are using Umbraco versions between 6.2.2 and 6.2.6 then you're fine, the underlying dlls have been updated to eliminate this issue
    • Update: if your using Umbraco version 7.1.7 or higher then you're fine, the underlying dlls have been updated to eliminate this issue
  • Delete: the install folder
    Affected versions: 4.9.0 through 6.1.6 (6.2.0+ and 7 are not affected)
    Impact of deleting this file: none - we've always advised to delete the install folder immediately after installing Umbraco and never to upload it to a live server.

Please take this advisory seriously and take immediate action to secure your running sites properly.

If you have any questions make sure to leave a comment and remember that this blog doesn't send notification e-mails so check back here to find the answer to your questions.

  • Published: July 21, 2014
  • Read time: 2 min. read
  • Category: Security