Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Marco Lusini 176 posts 1370 karma points
    Jul 11, 2019 @ 09:48
    Marco Lusini
    0

    Security Advisory July 9th 2019

    Hi,

    WRT the security issue in the UmbRegisterController, am I safe if I disabled access to /umbraco in IIS from untrusted IPs?
    I had a peek at the registered route and this seems to be the case, but I would like a confirmation from someone more knowledgeable...

    TIA, Marco

    Copy Link
  • Jeffrey Schoemaker 408 posts 2138 karma points MVP 8x c-trib
    Jul 12, 2019 @ 12:57
    Jeffrey Schoemaker
    100

    Hi Marco,

    that is an idea. For as far I can see is the url that is used is: dit /umbraco/surface/UmbRegister/handleregistermember

    You could block that specific url. You can find more documentation about that over here: https://our.umbraco.com/documentation/Reference/Security/Security-hardening/#lock-down-access-to-your-umbraco-folders

    But it's not advisable to block /umbraco/surface/* because your other surface controller will probably use that as well.

    Does that make any sense?

    Regards Jeffrey

    Copy Link
  • Marco Lusini 176 posts 1370 karma points
    Jul 12, 2019 @ 13:05
    Marco Lusini
    0

    In our Umbraco sites we always block /umbraco from the outside as a rule, and deal with the exceptions on an URL by URL basis (exception in IIS config, custom route in code, ecc.).

    This means that in this case we can delay the update until we are ready :-)

    Copy Link
  • Jeffrey Schoemaker 408 posts 2138 karma points MVP 8x c-trib
    Jul 12, 2019 @ 13:11
    Jeffrey Schoemaker
    0

    Yep, I think so!

    Copy Link
  • Jeffrey Schoemaker 408 posts 2138 karma points MVP 8x c-trib
    Jul 15, 2019 @ 12:40
    Jeffrey Schoemaker
    0

    Hi all,

    we've also created a .dll that contains the fix. Just copy over this into your bin-folder and you're ready:

    For version 6: https://downloads.perplex.eu/umbracosecurityfix/UmbracoSecurityPatch20190709v6.dll

    For version 7: https://downloads.perplex.eu/umbracosecurityfix/UmbracoSecurityPatch20190709v7.dll

    Happy patching!

    Jeffrey

    Copy Link

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies