More stories
Share
Monday, April 29, 2013

Security vulnerability found - immediate action recommended

During one of the regular security audits that independent security firms (in this case: MWR Labs) do of the core, a severe security vulnerability was found in the integration web services of Umbraco and we recommend everyone to take immediate action to prevent any exploit.

More details will come in a few weeks when people have had a chance to update their installations, but for now we ask you to remove the following file from all your Umbraco installations:

/bin/umbraco.webservices.dll

The security vulnerability affects all versions of Umbraco that contains the file above. If your installation doesn’t contain the file, you’re not affected.

If you DO have this dll in your bin folder and you absolutely cannot live without it, then there's a secured version available for Umbraco 4 and for Umbraco 6.

This will not affect the daily use of your Umbraco installation. It *might* affect integration with your Umbraco installation, but less than 1% use the integration web services. For those who do use the integration web services we recommend that you get in touch with sebastiaan@umbraco.com.

We’re sorry for the inconvenience.

Edit:

  • If you do use the webservices in your custom code, adding IP restrictions to /umbraco/webservices/api/ can be an option to secure your servers instead
  • Load balancing setups should not be affected by the removal of the dll, the cacherefresher code for that is in a different dll
  • uComponents v3+ should not be affected
  • The umbraco.webservices.dll file has not been included for a while in some umbraco releases due to a bug in our build environment, so if you can't find it, you're not affected by this issue

Related Story

Codegarden session: Responsive Imaging

If you don't know Umbraco, here are some numbers behind the world's friendliest CMS

One of the biggest benefits of using Umbraco is that the community is incredibly pro-active, extremely friendly and helpful.

Chances are that if you get an idea for something you would like to build in Umbraco, someone has already built it. So it is very likely that you can get good and friendly advice from someone from the Umbraco community on Our - just ask.

Number of active installs
409.219
Number of active members in the community
220.022
Known free Umbraco packages available
320

Want to be updated on everything Umbraco?

Be one of the first to know about special offers on our products and services. Get invitations to Umbraco events and festivals sent directly to your inbox.

All you need to do is get on our mailing list and soon you'll become a true Umbraco-know-it-all.

Sign up for our monthly newsletter

Are you sure, that's your real e-mail?