Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
For v6 and v7 sites
using System.Web.Routing;
using Umbraco.Core;
namespace RemoveRoutes
{
public class RemoveRoutesStartupHandler : ApplicationEventHandler
{
protected override void ApplicationStarted(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext)
{
// Reference: https://github.com/umbraco/Umbraco-CMS/issues/5206
// Reference: https://shazwazza.com/post/need-to-remove-an-auto-routed-controller-in-umbraco/
// Note: RouteTable needs System.Web.dll
RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbRegister"]);
RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbProfile"]);
RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbLogin"]);
RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbLoginStatus"]);
RouteTable.Routes.Remove(RouteTable.Routes["umbraco-api-Tags"]);
}
}
}
@jennywangCCS

This comment has been minimized.

Copy link

commented Jul 29, 2019

please advise how to test the code and to make sue it works.

thanks

@nul800sebastiaan

This comment has been minimized.

Copy link
Owner Author

commented Jul 30, 2019

@jennywangCCS - we don't want to post the code to perform a successful exploit here. The code published above has been verified by a third party to eliminate the security problem.

@nul800sebastiaan

This comment has been minimized.

Copy link
Owner Author

commented Jul 30, 2019

@nickzureus

This comment has been minimized.

Copy link

commented Jul 30, 2019

Please can you provide some detail on how this code can be deployed?

Thanks!

@yfayerman

This comment has been minimized.

Copy link

commented Jul 30, 2019

I believe "umbraco-surface-Tags" should be "umbraco-api-Tags".

@ronaldbarendse

This comment has been minimized.

Copy link

commented Jul 31, 2019

@nul800sebastiaan

This comment has been minimized.

Copy link
Owner Author

commented Jul 31, 2019

Argh.. copy-paste error! Yes, of course, updated to umbraco-api-Tags now!

@nul800sebastiaan

This comment has been minimized.

Copy link
Owner Author

commented Jul 31, 2019

@nickzureus The easiest way is to save the code as a .cs file and drop it into the App_Code folder of your sites (if App_Code doesn't exist yet, just create it in the root of your site.

You can also choose to compile this code into your other custom code in your site and do a regular deploy.

@emeraldium

This comment has been minimized.

Copy link

commented Aug 1, 2019

hi @nul800sebastiaan
if we do not have App_Code folder does that meens that we are vulnerable?
if this fix is a must what the file name should be?

thanks

@KurtKellens

This comment has been minimized.

Copy link

commented Aug 2, 2019

Hi @emeraldium,

The name of the class doesn't matter. Umbraco will load this file automatically.
More info concerning the ApplicationEventHandler

@emeraldium

This comment has been minimized.

Copy link

commented Aug 4, 2019

hi @KurtKellens
but this is a mandatory fix?
what exactly is members breach is?
if we do not allow external users to log into our umbraco but only backoffice users is this fix still apply?

thanks

@ronaldbarendse

This comment has been minimized.

Copy link

commented Aug 4, 2019

@emeraldium Whether it's mandatory depends on what agreements you have with clients/customers. It's however strongly advised to always patch security issues if you're impacted by it. The linked blog post explains this in a detailed way...

If you don't use members in both the front-end (login to website) and back-end (to restrict public access), the worst thing that can happen is your database flooding with new members. And having the TagsController API still available will publicly expose all tags. Nothing major in most cases, but it could result in a data/privacy breach depending on the site.

@rangler2

This comment has been minimized.

Copy link

commented Aug 5, 2019

@jennywangCCS perhaps the easiest way to check the code is working is to browse to <yoursite>/umbraco/api/tags/GetAllTags
If the fix is not there, this will return XML (possibly empty if you have no tags like <ArrayOftag xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />)
If the fix is there, it will return 404 not found (or your custom 404 page).
(This information is in the description of umbraco/Umbraco-CMS#5206 so this comment is not exposing anything new)

@emeraldium

This comment has been minimized.

Copy link

commented Aug 5, 2019

Guys
can you simplify this issue for me (as i am no umbraco expert like you).
is this issue servility consider critical?
if we only use server requests to interact with umbraco is this resolution needed?
in case we need to implement this fix so we need to save the code above as fix.cs file and implement it at the App_Code folder even if it is do not exist?
thanks

@nul800sebastiaan

This comment has been minimized.

Copy link
Owner Author

commented Aug 5, 2019

@rangler2 - clearly that only tests if the fix for GetAllTags is applied, it doesn't test the other 4 routing updates.

@emeraldium

is this issue servility consider critical?

We posted the following information for you to consider how critical it is, we've marked it as high priority: https://umbraco.com/blog/security-advisory-july-30th-2019-patch-available/

if we only use server requests to interact with umbraco is this resolution needed?

If your server accepts public requests at all then you are affected. If your server requires authentication for each request you send to it then you are in a much better place, then it would not be possible for random people on the internet to abuse this vulnerability. You could still be vulnerable from people on the "internal" network.
So, in short: Anybody who can access the site can exploit the vulnerability.

in case we need to implement this fix so we need to save the code above as fix.cs file and implement it at the App_Code folder even if it is do not exist?

Yes, you can create an App_Code folder and put the above code in it, saving it to ~/App_Code/Fix.cs is perfectly fine.

@pkovac321

This comment has been minimized.

Copy link

commented Aug 6, 2019

I'm having some trouble running my visual studio debugger with the ApplicationStarted method.

I would expect to trace the routes being removed when I run a trace with my visual studio debugger and the solution first runs however, I can't see that happening.

I am using a customized global.asax with an OnApplicationStarted method to manage startup using IoC. Do I have to configure the ApplicationEventHandler in my case? All the documentation I have found seems to mention the ApplicationStarted method (from the fix) being triggered by default, but I can't confirm that by debugging. Can I just remove the routes from the OnApplicationStarted method for my purposes or does it need to use the ApplicationEventHandler ApplicationStarted method used here?

@mkyukov

This comment has been minimized.

Copy link

commented Aug 9, 2019

This code breaks any member login functionality (that is used out of the box) on sites. We had a site that had members managed from the backoffice and after implementing this patch the login no-longer worked. Solution was to keep UmbLogin and UmbLoginStatus enabled. After that we groomed all registered members to ensure that there are no shady registrations that we don't recognize.

My question is - can this backfire, should we be careful about anything related to those controllers? There's not much information regarding UmbLogin and UmbLoginStatus apart that they could be used to exploit the Registration security hole.

@nul800sebastiaan

This comment has been minimized.

Copy link
Owner Author

commented Aug 9, 2019

@mkyukov - Indeed, it would break that. There's nothing all that harmful in the UmbLogin and UmbLoginStatus controllers, except if an attacker knows they exist then they could more easily try to perform a denial of service attack, especially for UmbLogin since each attempt will require some additional compute power. We added them to the list to be extra cautious mostly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.