Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v7: Open redirect security issue - insufficient url sanitization on booting.aspx #9782

Closed
nul800sebastiaan opened this issue Feb 9, 2021 · 1 comment

Comments

@nul800sebastiaan
Copy link
Member

Summary

A security report alerted us to an issue where booting.aspx could be used as an open redirect, which is used for phishing attacks, making it seem that the URL you're clicking is a legitimate site, but you get redirected to a malicious site by that legitimate site.

Note that anybody trying to use this vulnerability on your Umbraco site would see the following interstitial page for 10 seconds:

image

Severity

We rate this as a medium level security problem.

Although the exploit is available for an unauthenticated attacker, no data can be altered on the target Umbraco site.

Mitigation

Umbraco 7.15.7 mitigates the specific exploit method and we advise you to upgrade to that version.

Workarounds for older versions

Alternatively, for any site with a version lower than 7.15.7 we recommend you remove booting.aspx, which will mitigates the problem as well. This file is not often in active use and is therefore safe to remove for most people.

Alternatively, if you think your site is often displaying the booting screen, you can update this page, with the latest version that ships with 7.15.7.

Please note that your deployment strategy might include a NuGet restore which will restore booting.aspx on each deploy, make sure to take steps to prevent this file from being deployed.
Similarly, if you do update booting.aspx without upgrading to Umbraco 7.15.7, NuGet will overwrite it, so make sure that you only deploy the updated version.

Credits

We'd like to thank Marcin Węgłowski and Mariusz Popławski from AFINE Team for reporting the issue and validating the fix.

@binraider
Copy link

Hi Sebastiaan,

I have upgraded 2 projects to 7.15.7 so far, but in both cases booting.aspx in the project files was not overwritten by the new file from 7.15.7, leaving me to overwrite it with the version from github. The old U versions were 7.13.x and 7.12.x

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants