Security patch recommended for all versions of Orchard

Background

A non-persistent XSS vulnerability has been discovered by Tatsuya Sekiguchi of Hitachi Systems, Ltd. in the Orchard.Comments module that is distributed with the core distribution of the CMS. The module could in some circumstances let an external website render custom scripts on an Orchard website. This vulnerability might ultimately be used to gather your credentials if you further authenticate on the targeted Orchard website.

All released versions of Orchard are vulnerable and need to be patched immediately.

We are releasing today (April 30, 2013) a new version 1.6.1 of Orchard 1.6 that has the patch in place. This new version is replacing the previously available download. If you are downloading Orchard 1.6.1 today, you do not need to take any additional steps. The latest 1.x development branch is already patched as well. We are also releasing patch files for each version of Orchard from 1.0 to 1.6 that can be applied to existing web sites.

Mitigation

  • If you don't use the Comments module in Orchard, you can simply disable it in the Modules section of the Dashboard.
  • If your theme doesn't render the Messages zone, you are also safe, even if the Comments module is activated.

Action Required

Apply the patch for your version, update to Orchard 1.6.1, or update to the latest 1.x.

Orchard 1.6.1: https://orchard.codeplex.com/releases/view/90325

For older versions of Orchard, we are releasing patch files that can be applied on top of a running instance of Orchard. The archive for each of these patches contains a Modules folder that has the right structure to be copied into the root directory of an Orchard site. If you are using a source version, you need to copy the contents of the zip file into src/Orchard.Web.