• Critical forms issue: form submissions publicly available

    Description In pre-4.7 versions of Episerver Forms it is possible to have form submissions accessible to all front end users. End users may find confidential form data in search results so steps should be take to avoid this. Resolution Update your Episerver.Forms Nuget package to at least 4.7.0.

  • Magic Number And Signature Audit For File Upload Security

    DescriptionEpiserver has out-of-the-box field validation for file type, file size, and number of files uploaded but it does not have magic number/signature audit.  This article contains recommendations for additional magic number file upload security.ResolutionProcessing application requests in the global.asax and validating the request for upload at that time. The supported file extensions in Episerver can be seen here.   Find a database of signature codes (that is up-to-date) and build a d...

  • How To Set EPiServerLogin Cookie Secure Flag

    DescriptionThis article describes the step needed to set the secure flag on the episerver login cookie.ResolutionSetting “requireSSL” on the EPiServer login form in the web.config resolves the issue. <forms name=".EPiServerLogin" loginUrl="Util/login.aspx" timeout="120" defaultUrl="~/" requireSSL="true" />