Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • andrew shearer 506 posts 652 karma points
    Aug 18, 2017 @ 07:42
    andrew shearer
    0

    how to disable backoffice properly in authoring and public website architecture?

    Our Umbraco website is architected such that there are 2 instances; a public website without the Umbraco backoffice UI, and an Umbraco backoffice authoring website behind a firewall (so that it’s not publically accessible). This is achieved with Octopus deployment to tailor the artifacts needed for each instance (Umbraco and Umbraco_Client folders, or not), and also we set the instance role in code to either AuthoringServerRegistrar or PublicReadOnlyServerRegistrar as per “flexible load balancing” https://our.umbraco.org/documentation/Getting-Started/Setup/Server-Setup/load-balancing/flexible-advanced

    A security audit has identified the Umbraco endpoints are still accessible on the public instance. i.e. '/umbraco/backoffice/' and /umbraco/backoffice/UmbracoApi/Authentication/PostLogin

    My question is does this mean there is a vulnerability here that would allow a malicious user to perform backoffice functionality (if they had credentials)? Is there a way to ‘disable’ the Umbraco url endpoints on the public instance? (or another strategy to achieve the goal of preventing the publishing functionality being available via the public website)

    Thanks

    Andrew

Please Sign in or register to post replies

Write your reply to:

Draft