A security report alerted us to an issue where booting.aspx could be used as an open redirect, which is used for phishing attacks, making it seem that the URL you're clicking is a legitimate site, but you get redirected to a malicious site by that legitimate site.
Note that anybody trying to use this vulnerability on your Umbraco site would see the following interstitial page for 10 seconds:
Severity
We rate this as a medium level security problem.
Although the exploit is available for an unauthenticated attacker, no data can be altered on the target Umbraco site.
Mitigation
Umbraco 7.15.7 mitigates the specific exploit method and we advise you to upgrade to that version.
Workarounds for older versions
Alternatively, for any site with a version lower than 7.15.7 we recommend you remove booting.aspx, which will mitigates the problem as well. This file is not often in active use and is therefore safe to remove for most people.
Please note that your deployment strategy might include a NuGet restore which will restore booting.aspx on each deploy, make sure to take steps to prevent this file from being deployed.
Similarly, if you do update booting.aspx without upgrading to Umbraco 7.15.7, NuGet will overwrite it, so make sure that you only deploy the updated version.
Credits
We'd like to thank Marcin Węgłowski and Mariusz Popławski from AFINE Team for reporting the issue and validating the fix.
The text was updated successfully, but these errors were encountered:
I have upgraded 2 projects to 7.15.7 so far, but in both cases booting.aspx in the project files was not overwritten by the new file from 7.15.7, leaving me to overwrite it with the version from github. The old U versions were 7.13.x and 7.12.x
Summary
A security report alerted us to an issue where
booting.aspxcould be used as an open redirect, which is used for phishing attacks, making it seem that the URL you're clicking is a legitimate site, but you get redirected to a malicious site by that legitimate site.Note that anybody trying to use this vulnerability on your Umbraco site would see the following interstitial page for 10 seconds:
Severity
We rate this as a medium level security problem.
Although the exploit is available for an unauthenticated attacker, no data can be altered on the target Umbraco site.
Mitigation
Umbraco 7.15.7 mitigates the specific exploit method and we advise you to upgrade to that version.
Workarounds for older versions
Alternatively, for any site with a version lower than 7.15.7 we recommend you remove
booting.aspx, which will mitigates the problem as well. This file is not often in active use and is therefore safe to remove for most people.Alternatively, if you think your site is often displaying the booting screen, you can update this page, with the latest version that ships with 7.15.7.
Please note that your deployment strategy might include a NuGet restore which will restore
booting.aspxon each deploy, make sure to take steps to prevent this file from being deployed.Similarly, if you do update
booting.aspxwithout upgrading to Umbraco 7.15.7, NuGet will overwrite it, so make sure that you only deploy the updated version.Credits
We'd like to thank Marcin Węgłowski and Mariusz Popławski from AFINE Team for reporting the issue and validating the fix.
The text was updated successfully, but these errors were encountered: