ASP.NET Security Vulnerability Patch

A security hole has been uncovered in the platform umbraco is based on (full details here: http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx). This means that your website can potentially be compromised. We therefore strongly recommend that you install this package to check if your site is open to the vulnerability and to apply the recommended workaround.

The package will check for the following vulnerability types:

• customErrors element not found in web.config
• mode attribute on customErrors element not found
• mode attribute on customErrors element set to 'Off'
• different error pages for different error codes
• defaultRedirect attribute on customErrors element not found
• defaultRedirect attribute on customErrors element not set

If a vulnerability has been detected the user can choose to perform the fix.

This package has been tested on

• Umbraco v4.5.2 .net 4.0
• Umbraco v4.5.2 .net 3.5
• Umbraco v4.0.4.2 .net 2
• Umbraco v4.0.4.2 .net 3.5

--------------------------------------------------------------------------------------------------------------------------------------------

Version 1.1 of the package also updates the /config/404handlers.config and replaces the default 404 handler with one that always redirects to the custom error page. So after applying the patch it won't be possible to setup custom error pages in the /config/umbracoSettings.config.

If you already installed version 1 then it's possible to install the latest version again, this will then just update the /config/404handlers.config file.

--------------------------------------------------------------------------------------------------------------------------------------------

If it's not possible to install the package or the package installation fails please follow the directions in the guide below to update your website or hand them to your IT department who can perform the upgrade as well.