Press Ctrl / CMD + C to copy this to your clipboard.
This post will be reported to the moderators as potential spam to be looked at
WRT the security issue in the UmbRegisterController, am I safe if I disabled access to /umbraco in IIS from untrusted IPs?
I had a peek at the registered route and this seems to be the case, but I would like a confirmation from someone more knowledgeable...
that is an idea. For as far I can see is the url that is used is: dit /umbraco/surface/UmbRegister/handleregistermember
You could block that specific url. You can find more documentation about that over here: https://our.umbraco.com/documentation/Reference/Security/Security-hardening/#lock-down-access-to-your-umbraco-folders
But it's not advisable to block /umbraco/surface/* because your other surface controller will probably use that as well.
Does that make any sense?
In our Umbraco sites we always block /umbraco from the outside as a rule, and deal with the exceptions on an URL by URL basis (exception in IIS config, custom route in code, ecc.).
This means that in this case we can delay the update until we are ready :-)
Yep, I think so!
we've also created a .dll that contains the fix. Just copy over this into your bin-folder and you're ready:
For version 6: https://downloads.perplex.eu/umbracosecurityfix/UmbracoSecurityPatch20190709v6.dll
For version 7: https://downloads.perplex.eu/umbracosecurityfix/UmbracoSecurityPatch20190709v7.dll
is working on a reply...
Write your reply to:
Image will be uploaded when post is submitted