28 votes

ASP.NET Security Vulnerability Patch

A security hole has been uncovered in the platform umbraco is based on (full details here: http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx). This means that your website can potentially be compromised. We therefore strongly recommend that you install this package to check if your site is open to the vulnerability and to apply the recommended workaround.

The package will check for the following vulnerability types:

  • customErrors element not found in web.config
  • mode attribute on customErrors element not found
  • mode attribute on customErrors element set to 'Off'
  • different error pages for different error codes
  • defaultRedirect attribute on customErrors element not found
  • defaultRedirect attribute on customErrors element not set

If a vulnerability has been detected the user can choose to perform the fix.

This package has been tested on

  • Umbraco v4.5.2 .net 4.0
  • Umbraco v4.5.2 .net 3.5
  • Umbraco v4.0.4.2 .net 2
  • Umbraco v4.0.4.2 .net 3.5


Version 1.1 of the package also updates the /config/404handlers.config and replaces the default 404 handler with one that always redirects to the custom error page. So after applying the patch it won't be possible to setup custom error pages in the /config/umbracoSettings.config.

If you already installed version 1 then it's possible to install the latest version again, this will then just update the /config/404handlers.config file.


If it's not possible to install the package or the package installation fails please follow the directions in the guide below to update your website or hand them to your IT department who can perform the upgrade as well.


Package owner

Tim Geyssens

Tim Geyssens

Tim has 15373 karma points

Package Compatibility

This package is compatible with the following versions as reported by community members who have downloaded this package:
Untested or doesn't work on Umbraco Cloud
Version 8.12.x (untested)
Version 8.11.x (untested)
Version 8.10.x (untested)
Version 8.9.x (untested)
Version 8.8.x (untested)
Version 8.7.x (untested)
Version 8.6.x (untested)
Version 8.5.x (untested)
Version 8.4.x (untested)
Version 8.3.x (untested)
Version 8.2.x (untested)
Version 8.1.x (untested)
Version 8.0.x (untested)
Version 7.15.x (untested)
Version 7.14.x (untested)
Version 7.13.x (untested)
Version 7.12.x (untested)
Version 7.11.x (untested)
Version 7.10.x (untested)
Version 7.9.x (untested)
Version 7.8.x (untested)
Version 7.7.x (untested)
Version 7.6.x (untested)
Version 7.5.x (untested)
Version 7.4.x (untested)
Version 7.3.x (untested)
Version 7.2.x (untested)
Version 7.1.x (untested)
Version 7.0.x (untested)
Version 6.2.x (untested)

You must login before you can report on package compatibility.

Package Information

  • Package owner: Tim Geyssens
  • Created: 20/09/2010
  • Current version 1.1
  • License MIT
  • Downloads on Our: 14.1K