You can see that it's getting the version number along with a load of other server variables and building script which it spits out onto the page.
As a short term solution I tried commenting out the helper, and doing a string replace.
@*@Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath }))*@
@{
var replaceVersionNo = "0";
var umbracoVersion = "7.6.1";
var backofficeScript = Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath })).ToString().Replace(umbracoVersion ,replaceVersionNo);
@Html.Raw(backofficeScript)
}
Which replaced the version number with 0, obviously use the version number you have. This seems a bit hacky though, but does the job and I was still able to log in.
Thanks a lot Matt, really helpful. Interesting idea with the hack. Looks like it should be trivial to do a Regex replace to make it a little more robust to version number changes.
We may not be able to do an IP restriction so sticking the back office on a subdomain is probably the best thing we can do.
I dug a little more and it looks like the version number was added for cache busting purposes after a version upgrade:
Thanks for this answer! It's exactly what I needed.
In case anyone comes by this thread in the future, here's one way to use regex to handle the version number:
@{
var replaceVersionNo = "0";
string rexPattern = "\\d+\\.\\d+\\.*\\d*";
System.Text.RegularExpressions.Regex rex = new System.Text.RegularExpressions.Regex(rexPattern);
var backofficeScript = rex.Replace(Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath })).ToString(), replaceVersionNo);
@Html.Raw(backofficeScript)
}
Umbraco login screen leaking version details
We have discovered that the Umbraco login page is disclosing version information:
Is there a way to remove this? We would like to prevent attackers from determining vulnerabilities.
I would also question why this needs to be output on the login page.
First thing you should do is restrict access to the login page, place it on a subdomain, or restrict by allowed IP.
Anyway, investigated this, this script is output in:
Umbraco\Views\Default.cshtml
Which has a html helper method called:
Which is a part of the Umbraco.Web class library:
So from the github repo:
https://github.com/umbraco/Umbraco-CMS/blob/9badb35c054ecc91630b69b1b6753c78427cb4a6/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs
You can see that it's getting the version number along with a load of other server variables and building script which it spits out onto the page.
As a short term solution I tried commenting out the helper, and doing a string replace.
Which replaced the version number with 0, obviously use the version number you have. This seems a bit hacky though, but does the job and I was still able to log in.
Thanks a lot Matt, really helpful. Interesting idea with the hack. Looks like it should be trivial to do a Regex replace to make it a little more robust to version number changes.
We may not be able to do an IP restriction so sticking the back office on a subdomain is probably the best thing we can do.
I dug a little more and it looks like the version number was added for cache busting purposes after a version upgrade:
https://github.com/umbraco/Umbraco-CMS/commit/be0bacd895314500fd5c0a8e4a88e35c4451cd05
Thanks for this answer! It's exactly what I needed.
In case anyone comes by this thread in the future, here's one way to use regex to handle the version number:
Fixed in 7.6.4 - http://issues.umbraco.org/issue/U4-10044
is working on a reply...