Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Sean L 24 posts 146 karma points
    Nov 13, 2015 @ 20:26
    Sean L

    Template Accessible without defined Document Type and Page assignment

    Basic info: IIS 7.5 SQL Server Umbraco 6.2.5

    I came across this today and found it kind of strange, so I was curious if anyone had come across it before and knew why it happened to "work."

    I created a new Template in the Settings tab, also creating a User Control and assigning the control to a newly created Macro. What I didn't do, prior to my page test, was add the template to the document type or create the page and assign it the template.

    So the full scenario, say the template is called Bulletins. When I went and typed in the address of the page (where it will be when it is created) and lets say the URL was the following:

    Going to the following URL worked and the template displayed the content perfectly. What I did notice was the cookie crumb trail was "Something" and not "Something >> Bulletins" as it would normally be. I scratched my head, went back into the backend and was like "duh, skipped two things." But then I thought, how the heck did I even get to the template via a URL in the first place then, if there was no page that defined it.

    Keep in mind, if you were to look at the Content tab, go to the Something tab, expand it, there is no page there called Bulletins because I had not created it yet, let alone assigned it the proper template.

    So then I thought, what if I add "/bulletins" to any variation of the URL, will it still display. Sure enough, it does, but what it seems to do is simply add the template portion of "Bulletins" to the bottom of the page that is supposed to be the parent. Doesn't matter what prefixes the "/bulletins" in the URL, the page still comes up and the Bulletins template is added to the bottom of the page.

    What I mean by it being added to the parent, is if say the URL is "" then the page displayed is "Sales" but the Bulletins template is added to the bottom of the page.

    At this point, I was curious so I tested some of the other templates and they also had this same thing occurring.

    Next I wanted to play the process of elimination. I added Bulletins to the document type I would be creating the page based on. Tested the same Sales URL with no change. Next, I figured I would create the page and assign the template. Still no change.

    I then thought, lets change the name of the Macro, since it's name is the same as the template to see if there is some ambiguity going on somehow, but still no change. If I changed the name of the Template to say Bulletins2, however, it breaks but if I changed the URL to /bulletins2, it still does the same thing.

    At first, I thought this might present a huge security flaw to bypass authentication in spots, but the authentication check (with redirect if not authenticated) blocks the attempt to access templates (with User Controls) that are wrapped by this logic.

    Has anyone run into this or noticed this? Can someone else confirm/dismiss this type of functionality occurring in their instances? Or is this to be expected and a part of how Umbraco as a whole works?

    To me, it seems silly that if an end user knows the name of a template, they can hack any page and add that template onto another page. This could also cause problems if a user assumes they know a link, but that link truly doesn't exist but yet the site produces a page anyways because the user actually guessed a template name when free-forming the URL.

    It should simply throw a 404 as the page truly does not exist. Maybe I am missing something that is truly vital to stop this from happening.

    Anyways, sorry for the long-winded explanation, but I wanted to be thorough in my description of the issue. Thanks in advance for any insight!

    Regards, Sean

  • Nicholas Westby 2043 posts 7020 karma points c-trib
    Nov 13, 2015 @ 20:46
    Nicholas Westby

    Yes, this is a feature of Umbraco that allows you to display content with an "alternate template". You can either change the template with a query string, or by adding an extra path part that is the name of the template. In my umbracoSettings.config, I see this:

        By default you can add a altTemplate querystring or append a template name to the current URL which
        will make Umbraco render the content on the current page with the template you requested, for example: and would render the 
        "About Us" page with a template with the alias Home. Setting this setting to true stops that behavior

    That is in an Umbraco 7.x install. I'm not sure about Umbraco 6.x.

  • Sean L 24 posts 146 karma points
    Nov 13, 2015 @ 21:00
    Sean L


    Thank you very much for the quick response. Unfortunately, I searched the umbracoSettings.config and did not find anything referencing Alternative Templates. I then searched all of the files in the config directory and still could not find anything.

    There must be something that is along those lines in 6.x, just need to figure out what. I will spend some time looking for this, but you at least gave me a direction. I appreciate that.

    If anyone comes across this and has worked with this type of thing in 6.x and could point it out, that may be helpful. If I find a solution prior to that, I will post.

    Again, thanks for the assistance!

  • Nicholas Westby 2043 posts 7020 karma points c-trib
    Nov 13, 2015 @ 21:16
    Nicholas Westby

    Take a look at this Umbraco issue on YouTrack:

    Specifically, this comment by Sebastiaan:

    Comment by Sebastiaan

    If Umbraco 6 has that entry in 404handlers.config, that may be your best bet for disabling alternate templates.

  • Nicholas Westby 2043 posts 7020 karma points c-trib
    Nov 13, 2015 @ 21:22
    Nicholas Westby

    Oh, one more thing. If you want to ensure that the wrong template isn't used and the above doesn't work in some scenarios, you could always handle that logic in each view.

    That is, if you have an "About.cshtml" that you know is only used with the "About" document type, the About.cshtml file could check that the current page it's rendering is an "About" document type (if not, it can return early and do nothing).

    Views that you inherit from as your ancestor layouts (say, "Master.chstml" or "Wrapped.cshtml") should not work anyway (i.e., they should error out), because they should have sections that makes it impossible to use them as templates without first inheriting from them.

  • Mansoor Ahmad 16 posts 74 karma points
    Sep 27, 2016 @ 10:35
    Mansoor Ahmad

    I had the same problem and the answer mentioned by Nicholas for the version 6 worked for me.

    In the 404handlers.config, remove or comment out the following line

    Please do remember it will not work untill you restart the app:)

Please Sign in or register to post replies

Write your reply to: