More stories
Share
Wednesday, May 1, 2013

Security update - two major vulnerabilities found


TL;DR: Motivated by this week’s discovery of a security vulnerability, we analysed the entire Umbraco core and found two additional major vulnerabilities, so you’ll need to patch your installation as soon as possible. Download a patch for your Umbraco version in the bottom of this post.

Update: 4.11.8 / 6.0.5 released, see the last paragraph of this post.
Update 2:
Versions before 4.5.0 are not affected by these new vulnurabilities, however yesterday's security alert still applies (recommendation is still: delete umbraco.webservices.dll).
In light of this information we will not be publishing custom builds for versions lower than 4.5.0.
Update 3:
Some people are using 4.9.0 / 4.9.1 with a custom patch, the dll versions are now in the table below and patch files have been added ("Inline Xslt Fix" versions).
Update 4:
Unfortunately we can't provide a patch update for 4.7.1, please email sebastiaan@umbraco.com for alternatives.

We've found two more major vulnerabilities

In parallel with the earlier security alert, we’ve been going through every method in Umbraco that deals with external requests. Based on this analysis, we’ve found two additional vulnerabilities and therefore we strongly recommend that you update your installation(s). The following steps are necessary even if you have already deleted the umbraco.webservices.dll.

To make this as easy as possible, we’ve created patched versions of all Umbraco releases from the past three years. To secure your site, find what version of Umbraco you’re using and download the corresponding patch in the bottom of this post. The patch is a zip file that includes updated and secure versions of umbraco.dll and umbraco.webservices.dll. Once these files are copied to your /bin folder your installation is patched and secured.

We know this is frustrating as you’ve probably already spent time this week updating your installations. We hope you understand that we took this double approach with delete first, patch secondly to ensure that your Umbraco installation would be as secure as possible in the quickest possible way.

In addition to the incredible efforts from the core team in dealing with these issues, I’d like to thank the brilliant partners and security analysts we’ve worked with over the last couple of days for their tireless help and constructive feedback in making Umbraco as secure as possible.

Last year - after Codegarden - we added a new workflow for core submissions with more thorough code reviews of both internal and external code, but unfortunately the vulnerabilities discovered were related to core changes before this governance was implemented.

We apologize for the inconvenience that these security vulnerabilities have caused, we’re doing everything we possibly can to ensure you won’t experience a deja vu anytime soon. We'll share details of the vulnerabilities in June when you've all had time to secure your installations.

How to patch your installation

The updated files can be downloaded from the list below. Back up your /bin/umbraco.dll and /bin/umbraco.webservices.dll and replace them with the versions you find in the zip file below.

Custom Umbraco build or not able to patch?

If you're not able to patch your installation or if you run a modified version of Umbraco - if you have modified the source of Umbraco and build your own version - we recommend that you setup a firewall to protect against external calls to /umbraco. You can see if you run a custom build of Umbraco by comparing your assembly version with the one in the table below. If the dll is of the below version number then you can safely overwrite the current version with the patched version (after making a backup, of course).

Umbraco version

umbraco.dll

umbraco.webservices.dll

4.5.0

1.0.3827.19799

1.0.0.0

4.5.1

1.0.3858.40498

not present

4.5.2

1.0.3891.20719

not present

4.6.1

1.0.4029.25836

not present

4.7.0

1.0.4090.38017

not present

4.7.1.1

1.0.4393.24044

not present

4.7.2

1.0.4500.21031

not present

4.8.0

1.0.4583.15483

1.0.4583.15512

4.8.1

1.0.4609.17579

1.0.4609.17585

4.9.0

1.0.4633.18696

1.0.4633.18727

4.9.0 with Inline XSLT fix

1.0.4640.26027

1.0.4633.18727

4.9.1

1.0.4679.40364

1.0.4679.40370

4.9.1 with Inline XSLT fix

1.0.4693.32168

1.0.4679.40370

4.10.1

1.0.4701.29088

1.0.4701.29098

4.11.7

1.0.4863.25338

1.0.4863.25346

6.0.3

1.0.4834.188856

1.0.4834.18858

6.0.4

1.0.4863.23141

1.0.4863.23147

If you're using Umbraco v4.5.1-4.7.2 and have the umbraco.webservices.dll file in your bin folder and you absolutely cannot live without it, then there's a secured version available for Umbraco 4 and for Umbraco 6.

Upgrading

We've just released version 4.11.8 and 6.0.5. The only changes from their previous versions is the security fixes, so it's a safe upgrade. Head on out to CodePlex or NuGet to get them.

Related Story

Security vulnerability found - immediate action recommended

If you don't know Umbraco, here are some numbers behind the world's friendliest CMS

One of the biggest benefits of using Umbraco is that the community is incredibly pro-active, extremely friendly and helpful.

Chances are that if you get an idea for something you would like to build in Umbraco, someone has already built it. So it is very likely that you can get good and friendly advice from someone from the Umbraco community on Our - just ask.

Number of active installs
443.450
Number of active members in the community
220.022
Known free Umbraco packages available
320

Want to be updated on everything Umbraco?

Be one of the first to know about special offers on our products and services. Get invitations to Umbraco events and festivals sent directly to your inbox.

All you need to do is get on our mailing list and soon you'll become a true Umbraco-know-it-all.

Sign up for our monthly newsletter

Are you sure, that's your real e-mail?