WRT the security issue in the UmbRegisterController, am I safe if I disabled access to /umbraco in IIS from untrusted IPs?
I had a peek at the registered route and this seems to be the case, but I would like a confirmation from someone more knowledgeable...
In our Umbraco sites we always block /umbraco from the outside as a rule, and deal with the exceptions on an URL by URL basis (exception in IIS config, custom route in code, ecc.).
This means that in this case we can delay the update until we are ready :-)
Security Advisory July 9th 2019
Hi,
WRT the security issue in the UmbRegisterController, am I safe if I disabled access to /umbraco in IIS from untrusted IPs?
I had a peek at the registered route and this seems to be the case, but I would like a confirmation from someone more knowledgeable...
TIA, Marco
Hi Marco,
that is an idea. For as far I can see is the url that is used is: dit /umbraco/surface/UmbRegister/handleregistermember
You could block that specific url. You can find more documentation about that over here: https://our.umbraco.com/documentation/Reference/Security/Security-hardening/#lock-down-access-to-your-umbraco-folders
But it's not advisable to block /umbraco/surface/* because your other surface controller will probably use that as well.
Does that make any sense?
Regards Jeffrey
In our Umbraco sites we always block /umbraco from the outside as a rule, and deal with the exceptions on an URL by URL basis (exception in IIS config, custom route in code, ecc.).
This means that in this case we can delay the update until we are ready :-)
Yep, I think so!
Hi all,
we've also created a .dll that contains the fix. Just copy over this into your bin-folder and you're ready:
For version 6: https://downloads.perplex.eu/umbracosecurityfix/UmbracoSecurityPatch20190709v6.dll
For version 7: https://downloads.perplex.eu/umbracosecurityfix/UmbracoSecurityPatch20190709v7.dll
Happy patching!
Jeffrey
is working on a reply...