Umbraco

Umbraco Forms Security Notice

A routine security audit conducted by Umbraco’s third party security analyst, Dionach has identified a vulnerability in our add-on product Umbraco Forms

October 2016: A routine security audit conducted by Umbraco’s third party security analyst, Dionach has identified a vulnerability in our add-on product Umbraco Forms. This issue has been immediately patched and the latest version of Forms is available for download today. If you do not currently use Umbraco Forms to accept form submissions, then your site is not at risk. If you are running Umbraco as a Service (Umbraco Cloud), you will have been patched automatically and no update is required. We recommend that you update all installations running Umbraco Forms. Please note, this affects all versions of Umbraco Forms but does not affect Contour.

Issue details

Under certain circumstances the issue could allow people logged into the Umbraco Back Office to view unauthorised files by guessing file paths and filenames.

Severity

We estimate that for the majority of sites, the likelihood of the issue being exploited is low because users need to have authorised access to the Umbraco Back Office. With properly configured servers and the correct file permissions applied, gaining access to files outside of the website root is unlikely.

How to update Umbraco Forms

You can update your installation in various number of ways, such as an Umbraco package install, Nuget package or manual zip file as the fix is found in the DLLs.

Depending on your current version of Forms installed 4.1.5, 4.2.1 or 4.3.2 there is an associated patch release version as follows:

4.1.5 → 4.1.6
https://our.umbraco.org/projects/developer-tools/umbraco-forms/ 
https://www.nuget.org/packages/UmbracoForms/4.1.6

4.2.1 → 4.2.2
https://our.umbraco.org/projects/developer-tools/umbraco-forms/ 
https://www.nuget.org/packages/UmbracoForms/4.2.2

4.3.2 → 4.3.3
https://our.umbraco.org/projects/developer-tools/umbraco-forms/
https://www.nuget.org/packages/UmbracoForms/4.3.3

If you plan to accept form submissions through Umbraco Forms in the future, then be sure to use the latest version of Umbraco Forms to at least version 4.3.3.

Umbraco’s third party security analyst, Dionach, will be releasing a public security bulletin on this discovery in 2 weeks time.

We apologies for any inconvenience and if you have any follow-up questions, please let us know by sending us a support request through your Umbraco.com profile page