During one of the regular security audits that independent security firms (in this case: MWR Labs) do of the core, a severe security vulnerability was found in the integration web services of Umbraco and we recommend everyone to take immediate action to prevent any exploit.
More details will come in a few weeks when people have had a chance to update their installations, but for now we ask you to remove the following file from all your Umbraco installations:
The security vulnerability affects all versions of Umbraco that contains the file above. If your installation doesn’t contain the file, you’re not affected.
If you DO have this dll in your bin folder and you absolutely cannot live without it, then there's a secured version available for Umbraco 4 and for Umbraco 6.
This will not affect the daily use of your Umbraco installation. It *might* affect integration with your Umbraco installation, but less than 1% use the integration web services. For those who do use the integration web services we recommend that you get in touch with firstname.lastname@example.org.
We’re sorry for the inconvenience.
- If you do use the webservices in your custom code, adding IP restrictions to /umbraco/webservices/api/ can be an option to secure your servers instead
- Load balancing setups should not be affected by the removal of the dll, the cacherefresher code for that is in a different dll
- uComponents v3+ should not be affected
- The umbraco.webservices.dll file has not been included for a while in some umbraco releases due to a bug in our build environment, so if you can't find it, you're not affected by this issue