Umbraco

Security update - two major vulnerabilities found

Niels Hartvig
Written by Niels Hartvig

Motivated by this week’s discovery of a security vulnerability, we analysed the entire Umbraco core and found two additional major vulnerabilities

This article is from 2013. If you want updated information on Umbraco vulnerabilities, here's some helpful links:

 

TL;DR: Motivated by this week’s discovery of a security vulnerability, we analysed the entire Umbraco core and found two additional major vulnerabilities, so you’ll need to patch your installation as soon as possible. Download a patch for your Umbraco version in the bottom of this post.

Update: 4.11.8 / 6.0.5 released, see the last paragraph of this post.
Update 2: 
Versions before 4.5.0 are not affected by these new vulnurabilities, however yesterday's security alert still applies (recommendation is still: delete umbraco.webservices.dll).
In light of this information we will not be publishing custom builds for versions lower than 4.5.0. 
Update 3:
Some people are using 4.9.0 / 4.9.1 with a custom patch, the dll versions are now in the table below and patch files have been added ("Inline Xslt Fix" versions). 
Update 4:
Unfortunately we can't  provide a patch update for 4.7.1, please email sebastiaan@umbraco.com for alternatives.

We've found two more major vulnerabilities

In parallel with the earlier security alert, we’ve been going through every method in Umbraco that deals with external requests. Based on this analysis, we’ve found two additional vulnerabilities and therefore we strongly recommend that you update your installation(s). The following steps are necessary even if you have already deleted the umbraco.webservices.dll.

To make this as easy as possible, we’ve created patched versions of all Umbraco releases from the past three years. To secure your site, find what version of Umbraco you’re using and download the corresponding patch in the bottom of this post. The patch is a zip file that includes updated and secure versions of umbraco.dll and umbraco.webservices.dll. Once these files are copied to your /bin folder your installation is patched and secured.

We know this is frustrating as you’ve probably already spent time this week updating your installations. We hope you understand that we took this double approach with delete first, patch secondly to ensure that your Umbraco installation would be as secure as possible in the quickest possible way.

In addition to the incredible efforts from the core team in dealing with these issues, I’d like to thank the brilliant partners and security analysts we’ve worked with over the last couple of days for their tireless help and constructive feedback in making Umbraco as secure as possible.

Last year - after Codegarden - we added a new workflow for core submissions with more thorough code reviews of both internal and external code, but unfortunately the vulnerabilities discovered were related to core changes before this governance was implemented.

We apologize for the inconvenience that these security vulnerabilities have caused, we’re doing everything we possibly can to ensure you won’t experience a deja vu anytime soon. We'll share details of the vulnerabilities in June when you've all had time to secure your installations.

How to patch your installation

The updated files can be downloaded from the list below. Back up your /bin/umbraco.dll and /bin/umbraco.webservices.dll and replace them with the versions you find in the release overview on our.umbraco.com.

Custom Umbraco build or not able to patch?

If you're not able to patch your installation or if you run a modified version of Umbraco - if you have modified the source of Umbraco and build your own version - we recommend that you setup a firewall to protect against external calls to /umbraco. You can see if you run a custom build of Umbraco by comparing your assembly version with the one in the table below. If the dll is of the below version number then you can safely overwrite the current version with the patched version (after making a backup, of course).

Umbraco version

umbraco.dll

umbraco.webservices.dll

4.5.0

1.0.3827.19799

1.0.0.0

4.5.1

1.0.3858.40498

not present

4.5.2

1.0.3891.20719

not present

4.6.1

1.0.4029.25836

not present

4.7.0

1.0.4090.38017

not present

4.7.1.1

1.0.4393.24044

not present

4.7.2

1.0.4500.21031

not present

4.8.0

1.0.4583.15483

1.0.4583.15512

4.8.1

1.0.4609.17579

1.0.4609.17585

4.9.0

1.0.4633.18696

1.0.4633.18727

4.9.0 with Inline XSLT fix

1.0.4640.26027

1.0.4633.18727

4.9.1

1.0.4679.40364

1.0.4679.40370

4.9.1 with Inline XSLT fix

1.0.4693.32168

1.0.4679.40370

4.10.1

1.0.4701.29088

1.0.4701.29098

4.11.7

1.0.4863.25338

1.0.4863.25346

6.0.3

1.0.4834.188856

1.0.4834.18858

6.0.4

1.0.4863.23141

1.0.4863.23147

If you're using Umbraco v4.5.1-4.7.2 and have the umbraco.webservices.dll file in your bin folder and you absolutely cannot live without it, then there's a secured version available for Umbraco 4 and for Umbraco 6.

Upgrading

We've just released version 4.11.8 and 6.0.5. The only changes from their previous versions is the security fixes, so it's a safe upgrade. Head on out to our.umbraco.com or NuGet to get them.