20 Nov 2018 - Ian Lebbern

Three reasons your umbraco installation is insecure

Content Management Systems (CMS) serve an excellent purpose. Content is key to any holistic marketing strategy. Your company needs curated content, targeted toward your marketing goals, whether those goals are SEO, awareness, advertising, recruiting or all of the above.

A CMS like Umbraco helps to reduce the overhead by taking away the pain of building a complex system with which to administer and write content. You can concentrate on creating great content while Umbraco gives you the tools to manage it.

However, as is the case with many such products, a poor installation of Umbraco will leave your content a sitting duck for attackers. If an attacker gets into your CMS, they can deface your site and damage your brand. If you store more sensitive information or collect your visitors’ data, such as with an opt-in form, an attacker could hurt your customers as well.

You may think that a tool like Umbraco is a “set it and forget it” kind of tool. But it’s not. Here’s three reasons your Umbraco installation could be open to attack.

Three Reasons Your Umbraco Installation Is Insecure

Your /umbraco/ Path Is Open to the World

In a standard installation, the Umbraco folder holds the crown jewels of your application. It also holds the login for administrators who need to take care of your site. Typically, you’ll type in your domain name followed by /umbraco/ to get to the login page. For example, www(dot)example(dot)com/umbraco/.

If you’re not careful, this path could be open to the Internet in your production instance of Umbraco. This has two implications. First, an attacker could access your login page and try to brute-force their way into your site. If you don’t set good passwords or disable Umbraco’s lockout functionality, you’re in for a world of hurt.

Second, an attacker could use the login page to fingerprint your Umbraco instance. Different versions of Umbraco have slightly different login pages. The attacker will then know better how to attack your site if he knows your version. More on that in a sec.

To fix this problem, you have two options. First, you could use an IISRewrite.config file to only allow certain IP addresses to access the Umbraco folder. This will return a 403 Forbidden to anyone trying to access the folder. An even better solution is to rename the Umbraco folder in production to something else. Doesn’t really matter what. You should still protect that folder with IISRewrite.config rules, but at least when an attacker tries to find /umbraco/ on your site a 404 error is returned instead of a 403. Thus no extra information is provided that may entice an attacker to keep digging.

Caution is needed when renaming the folder. Renaming the Umbraco folder isn’t currently supported on Umbraco Cloud. Also, not all packages will keep working after renaming this folder. If you can’t rename the folder, then make sure the IISRewrite.config rules are set up so no unauthorized IPs can get access to the login form and try to brute force their way in.


CMS Security On-Demand Webinar


Your Umbraco Instance is Not Patched

If an attacker is able to fingerprint your site and determine the version of Umbraco you’re using, he could then find specific exploits for your version of the software and use them to attack your site.

The information about known vulnerabilities is available publicly at Umbraco’s Security page. Below is a section of the page.

Security Alerts

Notice the security bulletins with version numbers called out. These vulnerabilities are also listed in the public CVE database which attackers frequent to find ways to attack unpatched software.

We in the security industry sometimes sound like a broken record, but that’s because the threat is real and it’s dangerous. Make sure your Umbraco instance is patched!

You Don’t Have CSRF Protection Turned On

Cross-Site Request Forgery (CSRF) is an attack that allows a bad guy to force users to execute actions they didn’t intend to execute. If a user is authenticated to a website, an attacker can send a request on the user’s behalf without the user even knowing.

The defense against CSRF is well-known and available in Umbraco. The trick is that it’s not turned on by default. Earlier versions of the Umbraco forms plugin did not have CSRF protection and thus it’s not turned on by default for backwards compatibility and upgrade reasons.

Without this protection turned on, an attacker could use a logged-in administrator to add content to your site that could be malicious. For example, a new page is added with a malicious link inside it or perhaps a Cross-Site Scripting attack.

To protect against this vulnerability, be sure to turn the EnableAntiForgeryToken configuration parameter to True. You’ll find this in the /App_Plugins/UmbracoForms/UmbracoForms.config file in your installation path.

When you do this, you’ll have to add the @Html.AntiForgeryToken() to your forms. Check out the docs for more details.

Honorable Mentions

Here’s a couple of other tips to help you keep your Umbraco installation secure.

Folder Permissions

The Umbraco folder isn’t the only folder you need to protect. Don’t forget to write IISRewrite.config rules to forbid access to /App_Plugins/, /Umbraco_client/, and /Config/ as well. These folders could be used to do some damage if left unprotected. For example, an unprotected App_Plugins folder can be crawled and used to find out what specific version of Umbraco you’re running. This knowledge in the wrong hands can be used to attack you, as we’ve discussed above.

In production, only give your website write access to /App_Data/ and /Media/ folders. All other folders Umbraco uses should be given only read access in production.

Editable Form Submissions

Umbraco has an option to allow editable form submissions. With this option turned on, you can retrieve and edit form submissions that have already occurred. To use this feature, add ?recordId=GUID to the URL of the page containing the form that was submitted.

This obviously has major security implications. If someone has the GUID of a form submission, they could change the values of the inputs after they’ve been submitted, thus no new form submissions will occur. Admins may not see the changes right away. Don’t use this feature unless you have no other option to solve the problem you’re trying to solve (though I can’t think of any this would be worth doing for).

Use Your CMS Wisely

Tools like Umbraco are very useful. They allow you to concentrate on running your business without the headaches of extra development bogging you down.

Just make sure you use them wisely. Don’t allow default behavior to make your site insecure. Instead, pay attention to the tips we discussed and keep your installation safe so it can do its job without adding a headache to yours. Or, schedule a consultation with our team of professionals at Engine Room to help you!

Consult with a Marketing Tech Expert