Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Tim 1193 posts 2655 karma points c-trib
    Sep 02, 2010 @ 10:59
    Tim
    0

    Major Security Issue!

    Hi,

    It's possible to access: /umbraco/robots-txt/editRobotsTxtFile.aspx without being logged into umbraco! This came up in a security test of one of our umbraco installations last week.

    I haven't had a chance to run reflector on it and check, but it looks like the page doesn't inherit from umbracoBasePage, which checks if you're logged in.

    Any chance of a fix ASAP?

    Copy Link
  • Matt Brailsford 2958 posts 15629 karma points MVP 7x c-trib
    Sep 02, 2010 @ 11:04
    Matt Brailsford
    0

    As a temp fix, could you not use web.config security to deny access to that folder?

    http://support.microsoft.com/kb/316871

    Matt

    Copy Link
  • Lee Kelleher 3945 posts 15163 karma points MVP 10x admin c-trib
    Sep 02, 2010 @ 11:07
    Lee Kelleher
    0

    Hi Tim,

    This has been fixed in the latest version (v3.0).  If you need a hotfix for the previous version (v2.0), let me know.

    - Lee

    Copy Link
  • Tim 1193 posts 2655 karma points c-trib
    Sep 02, 2010 @ 11:56
    Tim
    0

    Thanks Lee! I've dropped you an email via the link in your post.

    :)

    Copy Link
  • Lee Kelleher 3945 posts 15163 karma points MVP 10x admin c-trib
    Sep 02, 2010 @ 13:15
    Lee Kelleher
    0

    I have packaged up the hotfix, released as v2.0.1.

    Copy Link

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies