Patching Umbraco to fix security vulnerability in ASP.NET

17 Jan

This article will require knowledge of the ASP.NET platform and knowledge of the Umbraco CMS. You will also need server access to your files so you can change permissions.

To secure your installation:

Firstly you need to give the correct permissions to your web.config file.  This allows Umbraco to actually ammend your code inside your web.config - this will then patch up your security vulnerability.

Once you have gainted access to your server, you need to add the correct Group and give full permissions.

  • Right click your web.config file
  • Click "Properties"
  • Click "Security"
  • Click "Add"
  • Enter "NETWORK SERVICE" underneath "Enter the object names to select"
  • Click "Check Names"
  • Click "Ok"
  • Click the checkbox next to "Full Control"
  • Click "Ok"

Now you have temporarily given full permissions to your NETWORK SERVICE user. Now it's time to install a package to automatically patch our Umbraco website.

  • Log into your Umbraco site via the backend (usually by going to yoursite.com/umbraco)
  • Go to "Developer"
  • Click "Packages"
  • Click "Umbraco package repository"
  • Click "Developer Tools"

Here you should see the "ASP.NET Security Vulnerability Patch"

  • Click "More Info and Download"
  • Continue to download the package and accept the license.
  • Once you install the package you should be successfully informed of the fix. If you receive any errors, then you have not correctly applied permissions to your web.config file.

Once you are informed of the successful patch, you need to remove your permissions for NETWORK SERVICE on your web.config file. Simply:

  • Go back to your server
  • Right click your web.config file
  • Click "Properties"
  • Click "Security"
  • Click the "Network Service" user
  • Click "Remove" once selected
  • Click "Ok"

Now you have removed any permissions on your web.config file.

404 Error Page

Despite Umbraco now being patched, you will find that your custom 404 error pages will not be working. A simple way around this is to locate the file: /umbraco/plugins/PoetPatcher/CustomError.aspx

In here you can change your error message you receive by simply editing the HTML document. You may wish to copy your sites HTML and CSS into here and change the main text displayed in the body - acting as a complete 404 page that keeps the look and feel of your website.

Posted by: garry

Back to all articles

Add new comment

More information about text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.