Need to report a security vulnerability?
For responsible disclosure you can email us at: firstname.lastname@example.org. We will acknowledge receipt of your vulnerability report and send you regular updates about our progress. If you want we will publicly acknowledge your responsible disclosure.
You are not allowed to search for vulnerabilities on umbraco.com itself. Umbraco is open source software, you can install a copy yourself and test against that. If you want to perform testing that might break things please contact us to arrange access to a staging server.
If you want to encrypt your disclosure email please email us to ask for our PGP key.
This page is a work in progress and will be updated regularly when relevant. If anything is missing, let us know on the email address above.
We know that some of the links below should be part of our documentation, but we put them on here for now so that we can at least help you find the information you need.
We take the following precautions while writing code for Umbraco:
- Every six months a security firm helps us do a penetration test to make sure we didn't drop the ball
- Testing focuses both on new features and we select a few areas for the security firm to poke around in to see if it could be vulnerable
- We will implement their recommended fixes and share what we have fixed here on this page for you and your clients to consult
- If there's any critical issues we will blog about them and create patches like we've done in the past
- Internal code reviews are done consulting the OWASP site for best practices when any code affecting security is updated
- Yes, we use parameritized queries to prevent SQL injection request
- We have several base classes we can inherit from to make sure that code will only be executed if there's a valid logged in backoffice user
- When critical security bugs are found we patch all of the versions that we can, even going back to very old versions to help you stay safe
- Umbraco has dependencies on other software, we keep dependencies updated as much as we can to benefit from any security fixes they might do
- We do internal training at Umbraco HQ to make sure everybody is up to speed on the latest security developments
- At Umbraco HQ we follow security experts on Twitter, like Troy Hunt and Scott Helme. We also religiously listen to the Security Now podcast and follow all of Troy Hunt's excellent security courses on Pluralsight.
- Since 7.3 we use ASP.Net Identity as the authentication mechanism for back office users. This implementation wraps ASP.Net Membership APIs but can easily be changed to use the native ASP.Net Identity standards and/or be extended to use any custom standards for storing and validating passwords. For the front-end Umbraco uses the ASP.Net Membership APIs for member security but ASP.Net Identity can be used with the UmbracoIdentity plugin if required and again any of this can be extended to suit whatever needs there may be. Passwords by default are hashed with HMAC-SHA256 and the salt is 128bit (unless you have useLegacyEncoding=true , then the standard is lower).
- Umbraco also supports a full OAuth login system which means if you want to store credentials in a 3rd party system like Azure Active Directory, Identity Server or any OAuth compliant service, this is certainly possible and you can have full control over the OAuth data flow. Of course HTTPS is fully supported and should certainly be used.
- All of that is available for both front-end membership and the backoffice users
- You can implement any membership / ASP.NET Identity provider you want for both front-end and backoffice if you don't want to rely on our implementation
- By default 10 incorrect login attempts will lock out the a backoffice user to avoid brute force attacks. We currently only support indefinite lock out but currently do not support a lock time frame - ASP.Net Identity supports this so you could extend the current implementation to achieve this. The attempt count is configurable, you can extend this however you like.
- Password rules (length, character diversity, etc.) are configurable from the web.config
- This MSDN article lists the available configuration options that can be changed from the web.config file
- Password expiry and two factor authentication are currently not support, but could be custom implemented, as an alternative an OAuth provider could help you support that
- Password security questions ("what was the name of your first dog?") are not supported and considered not secure
- Umbraco 7.5+ will have a password reset option on the login screen
- By default users are logged out of the backoffice after 20 minutes of inactivity, this can be configured to be shorter/longer
Historical security alerts
We've sent out the following very high priority security alerts in the past:
ClientDependency (a module that ships with Umbraco)
Umbraco Forms (optional plugin for Umbraco)
Protecting your sites
- It is becoming easier and easier to run your site on HTTPS, even if your hosting provider does not support it and we strongly recommend doing that. Cloudflare has a free offering that is easy to configure.
- Upgrading Umbraco is easier than ever before, keep up to date and benefit from all the smaller security fixes we put in all the time
- You should audit 3rd party plugins you install in Umbraco. Most of them are open source so they can be inspected
- We don't know of any malicious plugin that currently exists or has ever existed
- Any user that can log into the backoffice should not have more privileges then they need, so an editor should not have access to the "developer" and "settings" section.
- Make sure that your error handling is not leaking application information - in web.config set compilation debug to false, turn of tracing and turn customErrors on ("remoteOnly" or "on")
Umbraco and FIPS compliance
Umbraco can be set up to be FIPS compliant. Please note, however, that FIPS should only be added for compliance. It is NOT a recommended approach for added security. Read how to set up your Umbraco site to be FIPS compliant.
3rd party auditing
We receive security / penetration test reports every few weeks from web agencies that have had their site tested by various security firms. We always immediately implement recommendations where needed. If you have a 3rd party auditing your Umbraco site then we're happy to hear from you on email@example.com with any findings so we can fix what's necessary.
We love getting results from penetration tests, but when you do report them please make sure that they are manually tested and verified to be a problem. When you send us a report from automated tool, the large majority of the results are usually false positives. We are more than happy to fix any real issue discovered as quickly as we can but we ask you to provide steps to reproduce the issue(s) manually.
Sending us reports
We regularly get reports about security issues in Umbraco and appreciate those very much, we'd like to thank the following people for their amazing efforts in making Umbraco safer:
- Jeffrey Schoemaker - Perplex Internetmarketing
- Kai Stimpson - Perspective Risk Ltd
- Josh Grossman - Comsec Global Consulting
- Steve Smith - BMT Group Ltd
- Martial Puygrenier - NES Cyber Security Experts
- Christian Bruun
- Frederik Raabye - Dubex A/S
- Grégory Draperi
- Ronald Barendse - Panorama Studios
- Steven Harland - Intelligent Mobile
- Ruari Douglas - NCC Group
And thanks to the following people for pointing out configuration errors on some of our own properties:
- Shwetabh Suman
- Srishail Racharla
- Vasim Shaikh
- Suyog Palav
- Pal Patel
- Md. Nur A Alam Dipu
- Sameer Phad
- Danish Tariq
- Mustafa Diaa
- Ketan Madhukar Mukane
- Hafiz Muhammad Farhan
Note: we include only people in this list who bring us actionable items. Sending us results of automated scans is usually not helpful and won't automatically qualify you for a credit. Additionally, we only credit the first person who points out a problem that we can fix. Consecutive reports of the same issue will not be credited.