Hi there,
since I’m not a security expert, even checking the Microsoft Security Bulletin MS14-059 – Important doesn’t really make me understand
what kind or risk do my MVC websites have…
I mean reading the article it seems that an attacker can gain some access only using some phishing attacks or making a user click a "specially crafted link", but
it’s not clear if this affects ALL MVC websites or only the ones who have a backend/authentication. What about the backend, only the standard MVC one (Simple Membership) is affected, or would e.g. an
Umbraco CMS backend (see my question in the umbraco blog) be affected as well?
In order for an attacker to harm a website, must the user already be logged in or
perform a login after clicking the "specially crafted link"? I guess so, else an attacker could generate a link and click it himself…
I have some websites without any backend. Just simple websites with a controller and some views.
Are those websites affected by this vulnerability?
For precaution I’m updating all my websites containing the package Microsoft.AspNet.Mvc (which contains the vulnerable System.Web.Mvc.dll) to the fixed version.
E.g. for my MVC 4 website, via NuGet:
Update-Package Microsoft.AspNet.Mvc -Version 4.0.40804.0
(for other versions, find the fixed
Microsoft.AspNet.Mvc on Nuget: e.g. for MVC 5, it would be 5.0.2, vor MVC 5.1 it would be 5.1.3 etc.)
Anyway, I’d like to know about the authentication. Umbraco uses has Simple Membership turned off and is using UmbracoMembershipProvider.
Thank you for letting me know.
I means an attacker could execute requests as the current user. If the current user can do nothing on the website that an anonymous user can do then there is nothing to worry about. If you need to be logged in to access certain pages, use certain actions
etc, then the attacker could make those actions happen using the parameters the hacker chooses in the context of the user who has clicked the "crafted link". So if there is a "/data/delete/1" action that deletes item 1 from your system, but you need to be
logged in to run it, then a hacker could make you visit a link that executes /data/delete/1234 and that would run as you have access to that action. So if your site has no secure areas or pages then there isn’t anything to worry about.
Thank you AidyF,
even umbraco recommended to upgrade the dll.
Cheers