Skip to content

Security patch recommended for all versions of Orchard

建议所有版本的Orchard使用安全补丁

Background

背景

A CSRF vulnerability has been discovered by Adrian Pastor, MINERVA Information Security Inc. in the Users module that is distributed with the core distribution of the CMS.

Adrian Pastor,[MINERVA Information Security Inc.]发现[CSRF](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet)漏洞(http:// minerva-is .Users_模块中的.net)与CMS的核心发行版一起分发。

The issue allows mass-disabling Orchard logins by tricking an administrator to visit a site containing specifically crafted script while logged in. Mass-approving the creation of user logins was also affected.

该问题允许通过欺骗管理员在登录时访问包含特制脚本的站点来批量禁用Orchard登录。批量创建用户登录也受到影响。

However, the currently logged in user account is not affected by the attack.

但是,当前登录的用户帐户不受攻击影响。

The latest released versions of Orchard (1.9 and 1.8.2) are immune to this vulnerability.

最新发布的Orchard版本(1.9和1.8.2)不受此漏洞的影响。

Action Required

需要采取的行动

  • Apply the patch for your version

  • 为您的版本应用补丁 *

  • Or update to Orchard 1.8.2

  • 或者更新到Orchard 1.8.2 *

  • Or update to Orchard 1.9

  • 或者更新到Orchard 1.9 *

For older versions of Orchard, we are releasing a patch file that can be applied on top of a running instance of Orchard.

对于旧版本的Orchard,我们正在发布一个补丁文件,该文件可以应用于正在运行的Orchard实例之上。

The archive for each of these patches contains a Modules folder that has the right structure to be copied into the root directory of an Orchard site.

每个修补程序的存档都包含一个Modules文件夹,该文件夹具有要复制到Orchard站点根目录的正确结构。

If you are using a source version, you need to copy the contents of the zip file into src/Orchard.Web.

如果您使用的是源版本,则需要将zip文件的内容复制到src / Orchard.Web中。

You can find patches for all other previous versions here https://github.com/OrchardCMS/Orchard/releases/tag/patch-20150519

您可以在此处找到所有其他先前版本的补丁https://github.com/OrchardCMS/Orchard/releases/tag/patch-20150519