Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Sebastiaan Janssen 4701 posts 13294 karma points MVP admin hq
    Feb 28, 2017 @ 06:09
    Sebastiaan Janssen
    0

    Questions About Umbraco Forms Security Advisory Feb2017

    If you have questions about today's security advisory, please ask here and we'll get back to you ASAP.

  • Dave Woestenborghs 3125 posts 10147 karma points MVP 3x admin c-trib
    Feb 28, 2017 @ 08:58
    Dave Woestenborghs
    1

    Now you made me very curious :-)

  • Sebastiaan Janssen 4701 posts 13294 karma points MVP admin hq
    Mar 01, 2017 @ 14:07
    Sebastiaan Janssen
    1

    Unfortunately this usually means it's not good news, sorry. :-)

    https://umbraco.com/blog/security-advisory-update-umbraco-forms-immediately/

  • Shola 61 posts 246 karma points
    Mar 01, 2017 @ 15:34
    Shola
    0

    Hello,

    In case some of us don't stumble upon the blog, or catch it at a later date, will you be actively emailing the people who bought licenses?

    Thanks!

  • Sebastiaan Janssen 4701 posts 13294 karma points MVP admin hq
    Mar 01, 2017 @ 16:04
    Sebastiaan Janssen
    0

    Yes emails are being sent to license purchasers right now.

  • Kevin Duong 15 posts 85 karma points
    Mar 01, 2017 @ 15:56
    Kevin Duong
    0

    If I drag and drop the DLL you provided onto my Azure hosted site, will that resolve this issue for me?

  • Sebastiaan Janssen 4701 posts 13294 karma points MVP admin hq
    Mar 01, 2017 @ 16:04
    Sebastiaan Janssen
    0

    Yes.

  • glenatron 37 posts 132 karma points
    Mar 01, 2017 @ 16:02
    glenatron
    0

    We have had to make a lot of customisations around Forms behaviour and an update is very likely to break things for us.

    Is there any chance of a little more detail on what has changed/what the threat is?

  • Sebastiaan Janssen 4701 posts 13294 karma points MVP admin hq
    Mar 01, 2017 @ 16:17
    Sebastiaan Janssen
    0

    All I can tell you is that there's absolutely no breaking changes. If you need more information send an email to security@umbraco.com

  • Paul Yates 32 posts 86 karma points
    Mar 01, 2017 @ 16:38
    Paul Yates
    0

    Should Umbraco still report on the dashboard the previous installed version after applying the update (manual method)? I'm sure it should but just want to check.

  • Sebastiaan Janssen 4701 posts 13294 karma points MVP admin hq
    Mar 01, 2017 @ 17:48
    Sebastiaan Janssen
    0

    Yes.

  • Marc Goodson 755 posts 4917 karma points MVP 3x c-trib
    Mar 01, 2017 @ 16:42
    Marc Goodson
    1

    Hi Seb

    So if an Umbraco site has been upgraded to Umbraco 7, and the client has kept Contour...

    ... so they are not using Umbraco Forms...

    ... but the Umbraco.Forms.Core.Providers.dll is still present within the bin folder, because is ships with 7 ?

    .. then are they affected ?

    or only affected if they have hit the 'install' button on the Install Umbraco Forms dashboard...

    ... eg they actually have to be actively using Umbraco Forms to be affected, or is the dll lying dormant still an issue.

    (just prioritising my to patch list)

    regards

    Marc

  • Sebastiaan Janssen 4701 posts 13294 karma points MVP admin hq
    Mar 01, 2017 @ 17:51
    Sebastiaan Janssen
    0

    If Forms is not installed: no problem . If it gets installed in the future it will install 4.4.2 - no problem.

    If Forms is installed, even not in use now: need to update in case it gets used in the future.

  • Mark Owen 9 posts 100 karma points
    Mar 02, 2017 @ 10:47
    Mark Owen
    0

    Hi,

    I believe that we are using Contour and not Umbraco Forms, however, whilst everything in Umbraco says Contour and the plugin is called Contour, the related dlls are called Umbraco.Forms.* and specifically the Umbraco.Forms.Core.Providers.dll is present.

    Does this mean that we are affected or are Contour dlls also called Umbraco.Forms?

    Thanks, Mark

  • Sebastiaan Janssen 4701 posts 13294 karma points MVP admin hq
    Mar 02, 2017 @ 10:54
    Sebastiaan Janssen
    0

    Contour is not affected, yes, the dlls are named Umbraco.Forms as that was always the codename for Contour before Contour was renamed to Umbraco Forms.

    If you look at the version of Umbraco.Forms.Core.dll then it should be lower than 4.0.0. Umbraco Forms is 4.0.0 and up.

    Hope that helps!

  • Mark Owen 9 posts 100 karma points
    Mar 02, 2017 @ 10:56
    Mark Owen
    0

    Yep, that helps, thanks. I thought that would be the case, but wanted to make sure.

  • k 186 posts 497 karma points
    Mar 02, 2017 @ 12:03
    k
    0

    Hello,

    The issue is on what umbraco Form versions ? All umbraco form versions below 4.4.2 should be updated ?

    Thanks

  • Sebastiaan Janssen 4701 posts 13294 karma points MVP admin hq
    Mar 02, 2017 @ 12:11
    Sebastiaan Janssen
    0

    Yes, all versions below 4.4.2 should be updated.

  • Phil Dye 141 posts 296 karma points
    Mar 03, 2017 @ 15:44
    Phil Dye
    0

    We are finding on many projects that a nuget UpdatePackage is not upgrading all files correctly; the vulnerable dll gets updated, but not all content files (including some of the backoffice Javascript) - this results in various Angular/console errors.

    We've resorted to removing the nuget package, and then re-adding it - this ensures all files are updated correctly.

    http://issues.umbraco.org/issue/CON-1287 logged for now, although more investigation is needed to flesh out the detail.

    Phil

  • Mike Beale 26 posts 107 karma points
    Mar 13, 2017 @ 10:58
    Mike Beale
    0

    We have just noticed that this update is stopping the datepicker working on our site.

    I have just copied back the previous Umbraco.Forms.Core.Providers.dll we had, and the datepicker starts working again. Properties of the old dll say version 4.3.2, and we have forms version 4.3.2, and downloaded the fix for Umbraco Forms versions from 4.3.0 up to and including 4.4.1

    There are no errors shown in Firefox, Chrome or IE11 debug tools.

    Looking in the debug tools in Firefox that the pickaday.js & pickaday.css are not being loaded with the updated .dll file, there is no reference to them in the HTML of the page.

    As a quick test copied the new dll back and the datepicker stops working, copy back the old dll and the datepicker is back!

  • Warren Buckley 2074 posts 4460 karma points MVP 6x admin hq c-trib
    Mar 13, 2017 @ 11:16
    Warren Buckley
    1

    Hi Mike,
    I will need to do some tests & investigation to see if I can reproduce and help sort this out.

    Can you clarify if the following file is present please:

    /Views/Partials/Forms/DatePicker.cshtml
    

    I suspect it may be missing, if so you can upgrade to the lasts Forms 4.4.2 as opposed to just the DLL.

    As always back up everything before doing upgrades.

    Please let me know Mike, if this resolves your problems.

    Thanks,
    Warren

  • Mike Beale 26 posts 107 karma points
    Mar 13, 2017 @ 11:48
    Mike Beale
    0

    Hi Warren,

    You are correct, that file does not exist.

    We have not done many updates on packages as due to the security setup on our servers & networks it never seems to go quite right.

    Anyway, I downloaded the latest Forms package file and did a manual upgrade using Install Local Package as the server has no outbound internet access.

    Crossed fingers and it installed, and everything is working good, it has the updated .dll file, and now the DatePicker.cshtml file is also there.

    Thanks for you help Mike

  • Darren Eccles 53 posts 267 karma points
    Mar 16, 2017 @ 09:25
    Darren Eccles
    0

    Hi Guys,

    Had a worrying moment this morning, I uploaded the new Umbraco.Forms.Core.Provider.dll to my bin folder which caused the site to crash.

    The site is running Umbraco 7.4.3, and Umbraco Forms 4.3.2 and I definitely uploaded the right .dll (dll version 4.3.0 - 4.4.1)

    I reverted back to the old .dll, however the site would not come back online. I stop the site in IIS, and also stop the application pool, however after stopping the application pool, I could not get it to start again (it was throwing an error).

    I created a new application pool and linked this to the existing site, restarted the site and it worked.

    Has anyone else had any issues like this?

    I have around 10 other sites I need to update, but after this I'm a bit worried about taking more sites down.

    Thanks

    Darren

  • Warren Buckley 2074 posts 4460 karma points MVP 6x admin hq c-trib
    Mar 16, 2017 @ 09:27
    Warren Buckley
    0

    Hi Darren,
    Can you reproduce it locally and get a stack trace error that may indicate what the problem is.

    Thanks,
    Warren

  • Darren Eccles 53 posts 267 karma points
    Mar 16, 2017 @ 10:10
    Darren Eccles
    0

    Hi Warren,

    This is strange, I just ran the project locally with the new .dll and its working without any issues.

    Darren

  • Darren Eccles 53 posts 267 karma points
    Mar 16, 2017 @ 10:29
    Darren Eccles
    0

    Hi Warren,

    Bit of an update, I re-uploaded the .dll again, and the site seems to be working now, very strange.

    Thanks for coming back to me.

    Darren

  • JLon 296 posts 417 karma points
    Mar 22, 2017 @ 12:04
    JLon
    0

    Do we have to patch this if we are using the old Contour 3.0.8? Is this just for the new Umbraco Forms?

    Thanks

  • Warren Buckley 2074 posts 4460 karma points MVP 6x admin hq c-trib
    Mar 23, 2017 @ 16:00
    Warren Buckley
    0

    Hi JLon you do not need to do anything as the blog post mentions this:

    Contour (the predecessor to Umbraco Forms) is not affected.

    Many Thanks,
    Warren :)

Please Sign in or register to post replies

Write your reply to:

Draft