We've recently disovered that in the web.config of our Umbraco project that ASP.NET event validation is disabled. <pagesenableEventValidation="false">
It is recommended by Microsoft to enable this, but enabling it would have impact on the core functionality of Umbraco. On Google we found that this has impact on the macro functionality.
This feature will most likely have good reasons to be disabled, but I am wondering we should be worried about the security impact of this? Does the core functionality have countermeasures against all types of injection attacks?
As such it should not impact how Umbraco works but more be an issue with submitting form content that should create nodes within Umbraco I think or when using Contour - What version of Umbraco are you using? And have you tried enabling it locally to see what impact it has and which macros are being affected? If it's only related to forms then I think that you should be able to use the HTMLAgility pack to make sure form content can be submitted without security issues.
We are using 7.2.4 and haven't tried enabling event validation yet, because of the impact it might have. Event validation goes beyond validating forms. It validates most control event and prevents malicious postback requests and callbacks for controls. I'll see if we can do a small test to determine the impact for us, but this might limit future customizations, which I am worried about.
Aaah, yes sorry about that - I'm afraid I misread your post. Have not dealt with this situation before myself. But hopefully other of the bright minds in here will be able to guide you depending on what you find out.
ASP.NET EventValidation is disabled
We've recently disovered that in the web.config of our Umbraco project that ASP.NET event validation is disabled. <pages enableEventValidation="false">
It is recommended by Microsoft to enable this, but enabling it would have impact on the core functionality of Umbraco. On Google we found that this has impact on the macro functionality.
This feature will most likely have good reasons to be disabled, but I am wondering we should be worried about the security impact of this? Does the core functionality have countermeasures against all types of injection attacks?
Hi Jeffrey and welcome to our :)
As such it should not impact how Umbraco works but more be an issue with submitting form content that should create nodes within Umbraco I think or when using Contour - What version of Umbraco are you using? And have you tried enabling it locally to see what impact it has and which macros are being affected? If it's only related to forms then I think that you should be able to use the HTMLAgility pack to make sure form content can be submitted without security issues.
Looking forward to hearing from you.
/Jan
Thanks for the welcome and reply.
We are using 7.2.4 and haven't tried enabling event validation yet, because of the impact it might have. Event validation goes beyond validating forms. It validates most control event and prevents malicious postback requests and callbacks for controls. I'll see if we can do a small test to determine the impact for us, but this might limit future customizations, which I am worried about.
Hi Jeffrey
Aaah, yes sorry about that - I'm afraid I misread your post. Have not dealt with this situation before myself. But hopefully other of the bright minds in here will be able to guide you depending on what you find out.
/Jan
is working on a reply...