We are experiencing a similar scenario. A recent penetration test of our website uncovered the following;
"The website was found to expose a SOAP interface externally that allows functionalities such as ‘SaveDLRScript’.
This functionality is commonly used to perform unauthorised arbitrary file upload and to gain remote access.
The following URL was identified on the primary website.
Disable Web Services in Umbraco 7.6.4
I refer you to an unanswered post in February 2018 - https://our.umbraco.com/forum/using-umbraco-and-getting-started/90790-umbraco-webservice-folder-in-v74
We are experiencing a similar scenario. A recent penetration test of our website uncovered the following;
"The website was found to expose a SOAP interface externally that allows functionalities such as ‘SaveDLRScript’. This functionality is commonly used to perform unauthorised arbitrary file upload and to gain remote access. The following URL was identified on the primary website.
Vulnerable URL: https://www.oursite.com/umbraco/webservices/codeEditorSave.asmx?WSDL"
We are using the IPWhitelistModule.cs to prevent external IPs accessing the following;
I am therefore curious as to how external IPs can hit the "vulnerable " URL.
Same question as the Feb 2018 post - Can I delete the webservices folder? Is there anything depending on it by default?
Thanks!
Hi Dane,
I don't know if deleting the folder will break anything. It think that is a matter of trial and error.
But having a wsdl description visible does not mean your site is vulnerable.
You can see the webservice inherits from
UmbracoAuthorizedWebServicehttps://github.com/umbraco/Umbraco-CMS/blob/v7/dev/src/Umbraco.Web/umbraco.presentation/umbraco/webservices/codeEditorSave.asmx.cs
So only authenticated users can make use of the webservice.
Dave
Thank you for the response Dave.
Much appreciated!
is working on a reply...