Tel: 0151 223 0001

We believe in three things: users, users, users.

Patching Umbraco to fix security vulnerability in ASP.NET

You are here:
Home
» Patching Umbraco to fix security vulnerability in ASP.NET

Patching Umbraco to fix security vulnerability in ASP.NET - brought to you by sdesign1 - Umbraco specialists

This article will require knowledge of the ASP.NET platform and knowledge of the Umbraco CMS. You will also need server access to your files so you can change permissions.

To secure your installation:

Firstly you need to give the correct permissions to your web.config file.  This allows Umbraco to actually ammend your code inside your web.config - this will then patch up your security vulnerability.

Once you have gainted access to your server, you need to add the correct Group and give full permissions.

  • Right click your web.config file
  • Click "Properties"
  • Click "Security"
  • Click "Add"
  • Enter "NETWORK SERVICE" underneath "Enter the object names to select"
  • Click "Check Names"
  • Click "Ok"
  • Click the checkbox next to "Full Control"
  • Click "Ok"

Now you have temporarily given full permissions to your NETWORK SERVICE user. Now it's time to install a package to automatically patch our Umbraco website.

  • Log into your Umbraco site via the backend (usually by going to yoursite.com/umbraco)
  • Go to "Developer"
  • Click "Packages"
  • Click "Umbraco package repository"
  • Click "Developer Tools"

Here you should see the "ASP.NET Security Vulnerability Patch"

  • Click "More Info and Download"
  • Continue to download the package and accept the license.
  • Once you install the package you should be successfully informed of the fix. If you receive any errors, then you have not correctly applied permissions to your web.config file.

Once you are informed of the successful patch, you need to remove your permissions for NETWORK SERVICE on your web.config file. Simply:

  • Go back to your server
  • Right click your web.config file
  • Click "Properties"
  • Click "Security"
  • Click the "Network Service" user
  • Click "Remove" once selected
  • Click "Ok"

Now you have removed any permissions on your web.config file.

404 Error Page

Despite Umbraco now being patched, you will find that your custom 404 error pages will not be working. A simple way around this is to locate the file: /umbraco/plugins/PoetPatcher/CustomError.aspx

In here you can change your error message you receive by simply editing the HTML document. You may wish to copy your sites HTML and CSS into here and change the main text displayed in the body - acting as a complete 404 page that keeps the look and feel of your website.

Custom 404

So you are saying that a custom 404 page can no longer be kept in the CMS?? //Garrett
Submitted by Garrett (not verified) on Tue, 2010-12-07 21:44.

404 page

Hi Garrett - this is correct - you need to enter your own code for your 404 page in the file: /umbraco/plugins/PoetPatcher/CustomError.aspx
Submitted by garrybain on Wed, 2010-12-08 09:09.

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Fill in the blank