Just taking action to mitigate the recent security vulnerability. The suggested action is to delete the 'umbraco.webservices.dll' file. Lee Kelleher has pointed out that the file was introduced in version 3.0.0. However, I'm part way through checking all client sites and so far only 2 have contained the file. All are v4 websites, ranging from early 4.0 to the latest 4.11. The two sites containing the file so far are 4.0.4.2 and 4.11.3.
This is not a problem as such, I just wondered why this file would not be there on most installations if it's been part of the core installation since 3.0.0?
Cool, thanks Niels. I'm just putting together a reference of which versions included it by default and which didn't. Although I think EVERYONE should check all installations (as I'm doing) it'll at least put people's minds at ease if that file isn't there and they think it's supposed to be.
Okay, the formatting might break horribly, but I've been through an archive of the releases since 3.0.0. Seems the file is in most installations except for a gap between (and including) 4.5.1 and 4.7.2, and a blip where it wasn't included in 3.0.1. Obviously all installations should be checked regardless, but hopefully this provides a little peace of mind to devs who have sites where the file doesn't exist:
Version
Was file included?
3.0.0
Yes
3.0.1
No
3.0.2
Yes
3.0.3
Yes
3.0.5
Yes
3.0.6
Yes
4.0.1
Yes
4.0.2.1
Yes
4.0.3
Yes
4.0.4.2
Yes
4.5.0
Yes
4.5.1
No
4.5.2
No
4.6.1
No
4.7.0
No
4.7.1
No
4.7.1.1
No
4.7.2
No
4.8.0
Yes
4.8.1
Yes
4.9.0
Yes
4.9.1
Yes
4.10.1
Yes
4.11.3.1
Yes
4.11.4
Yes
4.11.5
Yes
4.11.6
Yes
6.0.0
Yes
6.0.2
Yes
6.0.3
Yes
Clearly, even if a site is running a version which didn't include the file, if that site has been upgraded or downgraded there's a good chance it still contains the problem file. So, again, I'm sure the advice is to check each installation thoroughly, regardless of version.
Perhaps there were versions on Codeplex at the time which didn't suffer the same build environment bug as the full stand-alone installs? There are probably a number of ways of arriving at the installation files (e.g. built from source, Codeplex download, Web Platform Installer etc), so definitely worth checking regardless of version.
So how should we deal with this file if we installed through Nuget? When we do a publish on a new server, it grabs the files from the internet first, so the file will keep reappearing. Right? Or was it removed from the nuget world?
@Chad for nuget installs, you can just remove the Reference to that DLL on the project. The package restore shouldn't add references, only download the DLLs (which won't get copied to /bin/ if not referenced). Or if you want to be really safe, you can use Anthony's suggestion of adding a post-build event to delete the file.
umbraco.webservices.dll - why is it mostly not there?
Hi,
Just taking action to mitigate the recent security vulnerability. The suggested action is to delete the 'umbraco.webservices.dll' file. Lee Kelleher has pointed out that the file was introduced in version 3.0.0. However, I'm part way through checking all client sites and so far only 2 have contained the file. All are v4 websites, ranging from early 4.0 to the latest 4.11. The two sites containing the file so far are 4.0.4.2 and 4.11.3.
This is not a problem as such, I just wondered why this file would not be there on most installations if it's been part of the core installation since 3.0.0?
Thanks folks.
Due to a bug in our build environment, it wasn't included by default in a number of v4.x versions. Some might say a lucky bug.
Cool, thanks Niels. I'm just putting together a reference of which versions included it by default and which didn't. Although I think EVERYONE should check all installations (as I'm doing) it'll at least put people's minds at ease if that file isn't there and they think it's supposed to be.
Okay, the formatting might break horribly, but I've been through an archive of the releases since 3.0.0. Seems the file is in most installations except for a gap between (and including) 4.5.1 and 4.7.2, and a blip where it wasn't included in 3.0.1. Obviously all installations should be checked regardless, but hopefully this provides a little peace of mind to devs who have sites where the file doesn't exist:
Clearly, even if a site is running a version which didn't include the file, if that site has been upgraded or downgraded there's a good chance it still contains the problem file. So, again, I'm sure the advice is to check each installation thoroughly, regardless of version.
Great analysis Dan! #h5yr
Strange.. I have 4.7.2 installs...one containing the dll and one that doesn't.
Could one of them be an upgrade from < 4.5.1 or a downgrade (or failed/aborted upgrade) from 4.8.0+?
Nope.
The one with the dll is a clean install from 4.7.2
The one without the dll is a 4.7.0 install which has been upgraded to 4.7.2
Perhaps there were versions on Codeplex at the time which didn't suffer the same build environment bug as the full stand-alone installs? There are probably a number of ways of arriving at the installation files (e.g. built from source, Codeplex download, Web Platform Installer etc), so definitely worth checking regardless of version.
So how should we deal with this file if we installed through Nuget? When we do a publish on a new server, it grabs the files from the internet first, so the file will keep reappearing. Right? Or was it removed from the nuget world?
-C
@Chad for nuget installs, you can just remove the Reference to that DLL on the project. The package restore shouldn't add references, only download the DLLs (which won't get copied to /bin/ if not referenced). Or if you want to be really safe, you can use Anthony's suggestion of adding a post-build event to delete the file.
is working on a reply...