September 17, 2018
Updated 9/20/2018 @ 1 AM MNT:
Non technical explanation: Files that are not meant to be served through your web server are accessible.
Semi-technical example: This exploit would allow the server .config files, including your web.config, to be downloaded. The web.config often contains database credentials and SMTP server information.
Who is affected?
As we mentioned in the Security Advisory published on September 14th, all versions of Umbraco are affected.
The vulnerability exists in an external library to Umbraco called Client Dependency Framework (CDF), versions 184.108.40.206 - 1.9.6.
As advised in last week’s Security Advisory, we highly recommend you make time to fix this issue. If you are not technically responsible for your site, please make sure to reach out to the responsible person/agency so they can take the necessary action.
This advisory is the result of a private penetration test; we have no indication or reports that the vulnerability is currently being exploited in the wild.
The vulnerability is exploitable by any unauthenticated user requesting resources from your public website, a vulnerability of type “Local File Inclusion.” The resources that can be requested includes configuration files and other sensitive internal files not intended for public access.
How to update?
You can either do a manual update, update via NuGet, or upgrade to newest version of Umbraco. Umbraco Cloud users will automatically be upgraded.
You’ll need to copy the appropriate new version (1.9.7) below of CDF into the bin folder of your website.
ClientDependency.Core.dll (version 1.9.7, compatible with .net 4.5)
ClientDependency.Core.dll (version 1.9.7, compatible with .net 4.0)
ClientDependency.Core.dll (version 1.9.7, compatible with .net 3.5)
This version is fully backwards compatible with previous versions so you don't need to worry about breaking anything.
To avoid exposure of private information in cached files, you will also need to delete all files in ~/App_Data/ClientDependency or ~/App_Data/Temp/ClientDependency after the upgrade.
Umbraco users need to know about an important security patch that Umbraco HQ is releasing this week. The patch is being issued in response to a security vulnerability that could lead to disclosure of private information on sites running Umbraco version 4.11.9 and higher (including all versions of v6 and v7).
The patch is expected to be released on Thursday, September 20th. Because of the severity of this security vulnerability, Umbraco is not releasing details ahead of time (in order to prevent nefarious characters from trying to exploit it further). However, we can confidently state that this patch is a critical one and should not be treated as optional.
Fyin.com has identified a stop-gap solution while we wait for an official patch to be released. We can help you minimize any security risks and keep your data safe.
If you have an Umbraco site, you’ll want to do the following:
- Confirm the Umbraco version of your site(s). In most versions, you can find your version number by clicking your account icon in the upper left corner after logging in.
- Contact your web host/IT provider and confirm that they can make this important update for you (ideally, on the 20th). If your site is hosted on Umbraco Cloud, the update will be made automatically. However, if the site is hosted in a data center or in your own facility, the update will need to be made manually.
If you are a Fyin.com partner, rest assured that we will take care of this update for you.
If you are not a Fyin.com partner (or were a partner previously), we do not want to leave you out in the cold. Our team stands ready to help the community!
We are offering a special rate of $995.00 to get ahead of this critical security patch with our stop-gap solution today! Once the patch is released, we will apply the patch for you in the order in which we received your request. To pre-patch your site, a new wildcard SSL certificate may be needed to comply with Umbraco's industry best practices. For your convenience, we are offering a 2-year Comodo wildcard SSL certificates for $500.00. Please fill out the form below or contact us.