Need to report a security vulnerability?


For responsible disclosure you can email us at: security@umbraco.com. We will acknowledge receipt of your vulnerability report and send you regular updates about our progress. If you want we will publicly acknowledge your responsible disclosure.

You are not allowed to search for vulnerabilities on umbraco.com itself. Umbraco is open source software, you can install a copy yourself and test against that. If you want to perform testing that might break things please contact us to arrange access to a staging server.

If you want to encrypt your disclosure email please email us to ask for our PGP key.

This page

This page is a work in progress and will be updated regularly when relevant. If anything is missing, let us know on the email address above.
We know that some of the links below should be part of our documentation, but we put them on here for now so that we can at least help you find the information you need.

Umbraco core

We take the following precautions while writing code for Umbraco:

General

  • Every six months a security firm helps us do a penetration test to make sure we didn't drop the ball
    • Testing focuses both on new features and we select a few areas for the security firm to poke around in to see if it could be vulnerable
    • We will implement their recommended fixes and share what we have fixed here on this page for you and your clients to consult
    • If there's any critical issues we will blog about them and create patches like we've done in the past
  • Internal code reviews are done consulting the OWASP site for best practices when any code affecting security is update
    • Yes, we use parameritized queries to prevent SQL injection request
  • We have several base classes we can inherit from to make sure that code will only be executed if there's a valid logged in backoffice user
  • When critical security bugs are found we patch all of the versions that we can, even going back to very old versions to help you stay safe
    • Make sure to follow @umbracoproject on Twitter for updates, promise we won't spam you from that account
    • There's multiple IFTTT recipes available for people not on Twitter to get tweets as emails, RSS feeds, Slack messages etc.
  • Umbraco has dependencies on other software, we keep dependencies updated as much as we can to benefit from any security fixes they might do
  • We do internal training at Umbraco HQ to make sure everybody is up to speed on the latest security developments
  • At Umbraco HQ we follow security experts on Twitter, like Troy Hunt and Scott Helme. We also religiously listen to the Security Now podcast and follow all of Troy Hunt's excellent security courses on Pluralsight.

Backoffice security

  • Since 7.3 we use ASP.Net Identity as the authentication mechanism for back office users. This implementation wraps ASP.Net Membership APIs but can easily be changed to use the native ASP.Net Identity standards and/or be extended to use any custom standards for storing and validating passwords. For the front-end Umbraco uses the ASP.Net Membership APIs for member security but ASP.Net Identity can be used with the UmbracoIdentity plugin if required and again any of this can be extended to suit whatever needs there may be. Passwords by default are hashed with HMAC-SHA256 and the salt is 128bit (unless you have useLegacyEncoding=true , then the standard is lower).
    • Umbraco also supports a full OAuth login system which means if you want to store credentials in a 3rd party system like Azure Active Directory, Identity Server or any OAuth compliant service, this is certainly possible and you can have full control over the OAuth data flow. Of course HTTPS is fully supported and should certainly be used.
    • All of that is available for both front-end membership and the backoffice users
  • You can implement any membership / ASP.NET Identity provider you want for both front-end and backoffice if you don't want to rely on our implementation
  • By default 10 incorrect login attempts will lock out the a backoffice user to avoid brute force attacks. We currently only support indefinite lock out but currently do not support a lock time frame - ASP.Net Identity supports this so you could extend the current implementation to achieve this. The attempt count is configurable, you can extend this however you like.
  • Password rules (length, character diversity, etc.) are configurable from the web.config
  • Password expiry and two factor authentication are currently not support, but could be custom implemented, as an alternative an OAuth provider could help you support that
  • Password security questions ("what was the name of your first dog?") are not supported and considered not secure
  • Umbraco 7.5+ will have a password reset option on the login screen
  • By default users are logged out of the backoffice after 20 minutes of inactivity, this can be configured to be shorter/longer

Historical security alerts

We've sent out the following very high priority security alerts in the past:

Umbraco

ClientDependency (a module that ships with Umbraco)

Umbraco Forms (optional plugin for Umbraco)

Protecting your sites

  • It is becoming easier and easier to run your site on HTTPS, even if your hosting provider does not support it and we strongly recommend doing that. Cloudflare has a free offering that is easy to configure.
  • Upgrading Umbraco is easier than ever before, keep up to date and benefit from all the smaller security fixes we put in all the time
  • You should audit 3rd party plugins you install in Umbraco. Most of them are open source so they can be inspected
    • We don't know of any malicious plugin that currently exists or has ever existed
  • Any user that can log into the backoffice should not have more privileges then they need, so an editor should not have access to the "developer" and "settings" section.
  • Make sure that your error handling is not leaking application information - in web.config set compilation debug to false, turn of tracing and turn customErrors on ("remoteOnly" or "on")

3rd party auditing

We receive security / penetration test reports every few weeks from web agencies that have had their site tested by various security firms. We always immediately implement recommendations where needed. If you have a 3rd party auditing your Umbraco site then we're happy to hear from you on security@umbraco.com with any findings so we can fix what's necessary.

We love getting results from penetration tests, but when you do report them please make sure that they are manually tested and verified to be a problem. When you send us a report from automated tool, the large majority of the results are usually false positives. We are more than happy to fix any real issue discovered as quick as we can but we ask you to provide steps to reproduce the issue(s) manually.

Download Security PDF here

Sending us reports

Credits

We regularly get reports about security issues in Umbraco and appreciate those very much, we'd like to thank the following people for their amazing efforts in making Umbraco safer:

And thanks to the following people for pointing out configuration errors on some of our own properties:

If you don't know Umbraco, here are some numbers behind the world's friendliest CMS

One of the biggest benefits of using Umbraco is that the community is incredibly pro-active, extremely friendly and helpful.

Chances are that if you get an idea for something you would like to build in Umbraco, someone has already built it. So it is very likely that you can get good and friendly advice from someone from the Umbraco community on Our - just ask.

Number of active installs
409.219
Number of active members in the community
220.022
Known free Umbraco packages available
320

Want to be updated on everything Umbraco?

Be one of the first to know about special offers on our products and services. Get invitations to Umbraco events and festivals sent directly to your inbox.

All you need to do is get on our mailing list and soon you'll become a true Umbraco-know-it-all.

Sign up for our monthly newsletter

Are you sure, that's your real e-mail?