When deploying Umbraco into a new environment (a UAT, a production, etc) everyone has a check list that the tick off against. This will cover items like:
- Modifying the web.config to use the right connection string/ smtp/ etc
- Setting the permissions on the file system
- Remove the Install folder
- And so on
Remove the Install folder, huh? To be honest this is a step I often forget, the Install folder tends to float around like a bad smell simply cuz no one has gotten around to removing it, but it can't be that bad... can it?
Well yes, yes it can. First off, anyone clued in enough can get to your site and then go to /install/Default.aspx and run through the installer! Yeah, I'm sure you want that done...
Or if you've got a really mallicious person they can start playing around with the installStep query string parameter.
The installStep query string parameter has this really nice feature, you provide it the path to an ASCX so it can load that into the installer. The idea is so you can quickly jump to the appropriate step, the down side is it allows you to jump to any ASCX on the site.
Just for fun try this on your site:
Well that just aint right now is it...
So I decided to see what else you can do, well for starters you've got:
See where I'm going with this, yep, you can bring up the create content window! Now we're getting dangerous.
If you've been like a lot of lazy dev's and not set up a 500-error page you'll see a lovely yellow error with a stack trace showing you just why the parse failed, looks like we missed a query string parameter.
Anyone with access to the Umbraco source code (it's open source, so that's like... everyone) can then work out what went wrong, turns out we need a query strong nodeId, so lets try again:
/install/Default.aspx?installStep=../../umbraco/create/content&nodeId=<some node id>
Well what do you know, I can create a page...
Obviously a random hacker will be slowed down by the fact that you need to actually know a node ID, but that's not hard to work out, trial and error will get you there eventually.
I tried this on a handful of Umbraco sites I know of (including some very high profile companies sites) and found this working on all but 1 of them.
Moral of the story?
Delete the bloody Install folder before going live!