Press Ctrl / CMD + C to copy this to your clipboard.
This post will be reported to the moderators as potential spam to be looked at
Hi Abuabdellah,
thank you for creating this package but please be aware that you've created some serious security vulnerabilities for those who will use it!
It's possible to call your Controller-action that handles the export without authentication. So if you go to this url:
http://<your-umbraco-domain.com>/Umbraco/Api/UGMembers/GetAllMembers1
You will get an export of all members and you don't have to be authorized within Umbraco. This makes it possible for the whole world to download all your members.
This should be solved here: https://pagure.io/UGardian/blob/master/f/code/App_Code/UGMembersController.cs. I think replacing UmbracoApiController with UmbracoAuthorizedApiController will solve this immediately, but you should test that out.
See also this documentation: https://our.umbraco.com/documentation/reference/routing/webapi/authorization
Hopefully you can fix this soon and give everyone who has installed your package a heads up that they should update the package!
If you need more information, please let me know
Kind regards, Jeffrey
Jeffrey, peace be upon those who follow guidance,
Thank you for your alert, I uploaded a new release which includes a fix for that.
let me know if you find other issue.
that is fantastic! Really well handled and responded!
Have a great day!
I suggest that you select a solution to make the forum with more answers.
is working on a reply...
Write your reply to:
Upload image
Image will be uploaded when post is submitted
Serious security issues in the UGardian package!
Hi Abuabdellah,
thank you for creating this package but please be aware that you've created some serious security vulnerabilities for those who will use it!
It's possible to call your Controller-action that handles the export without authentication. So if you go to this url:
You will get an export of all members and you don't have to be authorized within Umbraco. This makes it possible for the whole world to download all your members.
This should be solved here: https://pagure.io/UGardian/blob/master/f/code/App_Code/UGMembersController.cs. I think replacing UmbracoApiController with UmbracoAuthorizedApiController will solve this immediately, but you should test that out.
See also this documentation: https://our.umbraco.com/documentation/reference/routing/webapi/authorization
Hopefully you can fix this soon and give everyone who has installed your package a heads up that they should update the package!
If you need more information, please let me know
Kind regards, Jeffrey
Jeffrey, peace be upon those who follow guidance,
Thank you for your alert, I uploaded a new release which includes a fix for that.
let me know if you find other issue.
Hi Abuabdellah,
that is fantastic! Really well handled and responded!
Have a great day!
Jeffrey, peace be upon those who follow guidance,
I suggest that you select a solution to make the forum with more answers.
is working on a reply...