Skip to content

Instantly share code, notes, and snippets.

@nul800sebastiaan
Last active March 21, 2020 08:21
Show Gist options
  • Save nul800sebastiaan/927dcf155439fcc867e97a4d8dda6e16 to your computer and use it in GitHub Desktop.
Save nul800sebastiaan/927dcf155439fcc867e97a4d8dda6e16 to your computer and use it in GitHub Desktop.
For v6 and v7 sites
using System.Web.Routing;
using Umbraco.Core;
namespace RemoveRoutes
{
public class RemoveRoutesStartupHandler : ApplicationEventHandler
{
protected override void ApplicationStarted(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext)
{
// Reference: https://github.com/umbraco/Umbraco-CMS/issues/5206
// Reference: https://shazwazza.com/post/need-to-remove-an-auto-routed-controller-in-umbraco/
// Note: RouteTable needs System.Web.dll
RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbRegister"]);
RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbProfile"]);
RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbLogin"]);
RouteTable.Routes.Remove(RouteTable.Routes["umbraco-surface-UmbLoginStatus"]);
RouteTable.Routes.Remove(RouteTable.Routes["umbraco-api-Tags"]);
}
}
}
@ronaldbarendse
Copy link

@emeraldium Whether it's mandatory depends on what agreements you have with clients/customers. It's however strongly advised to always patch security issues if you're impacted by it. The linked blog post explains this in a detailed way...

If you don't use members in both the front-end (login to website) and back-end (to restrict public access), the worst thing that can happen is your database flooding with new members. And having the TagsController API still available will publicly expose all tags. Nothing major in most cases, but it could result in a data/privacy breach depending on the site.

@rangler2
Copy link

rangler2 commented Aug 5, 2019

@jennywangCCS perhaps the easiest way to check the code is working is to browse to <yoursite>/umbraco/api/tags/GetAllTags
If the fix is not there, this will return XML (possibly empty if you have no tags like <ArrayOftag xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />)
If the fix is there, it will return 404 not found (or your custom 404 page).
(This information is in the description of umbraco/Umbraco-CMS#5206 so this comment is not exposing anything new)

@emeraldium
Copy link

Guys
can you simplify this issue for me (as i am no umbraco expert like you).
is this issue servility consider critical?
if we only use server requests to interact with umbraco is this resolution needed?
in case we need to implement this fix so we need to save the code above as fix.cs file and implement it at the App_Code folder even if it is do not exist?
thanks

@nul800sebastiaan
Copy link
Author

nul800sebastiaan commented Aug 5, 2019

@rangler2 - clearly that only tests if the fix for GetAllTags is applied, it doesn't test the other 4 routing updates.

@emeraldium

is this issue servility consider critical?

We posted the following information for you to consider how critical it is, we've marked it as high priority: https://umbraco.com/blog/security-advisory-july-30th-2019-patch-available/

if we only use server requests to interact with umbraco is this resolution needed?

If your server accepts public requests at all then you are affected. If your server requires authentication for each request you send to it then you are in a much better place, then it would not be possible for random people on the internet to abuse this vulnerability. You could still be vulnerable from people on the "internal" network.
So, in short: Anybody who can access the site can exploit the vulnerability.

in case we need to implement this fix so we need to save the code above as fix.cs file and implement it at the App_Code folder even if it is do not exist?

Yes, you can create an App_Code folder and put the above code in it, saving it to ~/App_Code/Fix.cs is perfectly fine.

@pkovac321
Copy link

pkovac321 commented Aug 6, 2019

I'm having some trouble running my visual studio debugger with the ApplicationStarted method.

I would expect to trace the routes being removed when I run a trace with my visual studio debugger and the solution first runs however, I can't see that happening.

I am using a customized global.asax with an OnApplicationStarted method to manage startup using IoC. Can I just remove the routes from the OnApplicationStarted method for my purposes or does it need to use the ApplicationEventHandler ApplicationStarted method used here?

@mkyukov
Copy link

mkyukov commented Aug 9, 2019

This code breaks any member login functionality (that is used out of the box) on sites. We had a site that had members managed from the backoffice and after implementing this patch the login no-longer worked. Solution was to keep UmbLogin and UmbLoginStatus enabled. After that we groomed all registered members to ensure that there are no shady registrations that we don't recognize.

My question is - can this backfire, should we be careful about anything related to those controllers? There's not much information regarding UmbLogin and UmbLoginStatus apart that they could be used to exploit the Registration security hole.

@nul800sebastiaan
Copy link
Author

@mkyukov - Indeed, it would break that. There's nothing all that harmful in the UmbLogin and UmbLoginStatus controllers, except if an attacker knows they exist then they could more easily try to perform a denial of service attack, especially for UmbLogin since each attempt will require some additional compute power. We added them to the list to be extra cautious mostly.

@SarikaRansubhe
Copy link

@nul800sebastiaan - Since we are having the same issue, Does your last comment means we are fine to keep UmbLogin and UmbLoginStatus enabled?

@SarikaRansubhe
Copy link

@nul800sebastiaan - Since we are having the same issue, Does your last comment means we are fine to keep UmbLogin and UmbLoginStatus enabled?

@nul800sebastiaan - Could you please advise on the question above, please?

@nul800sebastiaan
Copy link
Author

@SarikaRansubhe - the UmbLogin and UmbLoginStatus actions to the best of our knowledge can not cause harm. However, we added them here since they could be used in a DOS attack, expecially UmbLogin.

We recommend you remove those routes and implement your own logic for handling a login and showing the login status. If you're not worried about DOS attacks then you could leave these two action a is.

@bobi33
Copy link

bobi33 commented Mar 20, 2020

Hi, do we delete the .cs file from App_Data once we run the website on the public server, or does it stay in there?

@nul800sebastiaan
Copy link
Author

@bobi33 It has to stay in place.. it's the only thing protecting you if you do not upgrade to the latest version of Umbraco,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment