Umbraco CMS local file inclusion

Description

Umbraco CMS includes a ClientDependency package that is vulnerable to a local file inclusion (LFI) in the default installation. The ClientDependency package, used by Umbraco, exposes the "DependencyHandler.axd" file in the root of the website. This file is used to combine and minify CSS and JavaScript files, which are supplied in a base64 encoded string.

Remediation

The Umbraco team have released a fixed version of the ClientDependency package. For more information consult the Umbraco security advisory listed in web references.

References