More stories
Monday, July 21, 2014

Security issues found in Umbraco 4, 6 and 7

As Umbraco becomes more popular, there's also more people hiring security specialists to analyze our source code for potential vulnerabilities. We applaud this, a fresh view on things can often reveal issues that have been overlooked so far.

Today we're publishing the results of 2 independent security audits that uncovered some issues that you need to be aware of and fix in your Umbraco installations.

Of course we're in the process of fixing these problems for future versions of Umbraco where necessary but many currently running live sites are affected and need updates immediately.

We advise you to update or remove the following files:

  • Update: umbraco\Developer\Packages\proxy.htm with the updated version found in this Github commit.
    Affected versions: all versions 4, 6 and 7
    Impact of updating this file: none.
  • Delete: umbraco\Dashboard\Swfs\AIRInstallBadge.swf
    Affected versions: 4.6.1 through 6.2.1 (v7 is not affected)
    Impact of deleting this file: you won't be able to install Desktop Media Uploader from the backoffice any more, it can still be installed by installing the umbraco\Dashboard\air\DesktopMediaUploader.air file.
  • Delete: Config\Splashes\booting.aspx
    Affected versions: all versions 4, 6 and 7
    Impact of deleting this file: you would only see the "booting" screen if your site takes more than 10 seconds in the phase where Umbraco is starting and cannot serve more than one request, removing this file gives a blank screen instead of the "booting" screen (hardly anybody will ever have seen this screen in the first place).
  • Delete: the install folder
    Affected versions: 4.9.0 through 6.1.6 (6.2.0+ and 7 are not affected)
    Impact of deleting this file: none - we've always advised to delete the install folder immediately after installing Umbraco and never to upload it to a live server.

Please take this advisory seriously and take immediate action to secure your running sites properly.

If you have any questions make sure to leave a comment and remember that this blog doesn't send notification e-mails so check back here to find the answer to your questions.

Related Story

Codegarden 2014, Rookie Adam Southorn

If you don't know Umbraco, here are some numbers behind the world's friendliest CMS

One of the biggest benefits of using Umbraco is that the community is incredibly pro-active, extremely friendly and helpful.

Chances are that if you get an idea for something you would like to build in Umbraco, someone has already built it. So it is very likely that you can get good and friendly advice from someone from the Umbraco community on Our - just ask.

Number of active installs
Number of active members in the community
Known free Umbraco packages available

Want to be updated on everything Umbraco?

Be one of the first to know about special offers on our products and services. Get invitations to Umbraco events and festivals sent directly to your inbox.

All you need to do is get on our mailing list and soon you'll become a true Umbraco-know-it-all.

Sign up for our monthly newsletter

Are you sure, that's your real e-mail?