Sign in Register
Go to solution
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Tim 1193 posts 2675 karma points MVP 4x c-trib
    Sep 02, 2010 @ 10:59
    Tim
    0

    Major Security Issue!

    Hi,

    It's possible to access: /umbraco/robots-txt/editRobotsTxtFile.aspx without being logged into umbraco! This came up in a security test of one of our umbraco installations last week.

    I haven't had a chance to run reflector on it and check, but it looks like the page doesn't inherit from umbracoBasePage, which checks if you're logged in.

    Any chance of a fix ASAP?

    Copy Link
  • Matt Brailsford 4125 posts 22223 karma points MVP 9x c-trib
    Sep 02, 2010 @ 11:04
    Matt Brailsford
    0

    As a temp fix, could you not use web.config security to deny access to that folder?

    http://support.microsoft.com/kb/316871

    Matt

    Copy Link
  • Lee Kelleher 4026 posts 15836 karma points MVP 13x admin c-trib
    Sep 02, 2010 @ 11:07
    Lee Kelleher
    0

    Hi Tim,

    This has been fixed in the latest version (v3.0).  If you need a hotfix for the previous version (v2.0), let me know.

    - Lee

    Copy Link
  • Tim 1193 posts 2675 karma points MVP 4x c-trib
    Sep 02, 2010 @ 11:56
    Tim
    0

    Thanks Lee! I've dropped you an email via the link in your post.

    :)

    Copy Link
  • Lee Kelleher 4026 posts 15836 karma points MVP 13x admin c-trib
    Sep 02, 2010 @ 13:15
    Lee Kelleher
    0

    I have packaged up the hotfix, released as v2.0.1.

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft