U4-9970 - Should /umbraco/localizedtext be public?

Created by Jeffrey Schoemaker 30 May 2017, 15:14:56 Updated by Sebastiaan Janssen 31 May 2017, 08:57:53

I'm wondering whether this API-call should be public available and disclosed. If you for example go to https://umbraco.com/umbraco/localizedtext you can check all keys. There's not really any harm to that, but you could probably figure out which minor version of Umbraco is using depending on all keys that are available.

The reason the key is public is probably because the logon-screen needs those keys...

If you see no harm in this, you could just close this issue



Sebastiaan Janssen 31 May 2017, 08:57:48

Hmm, and also: /Umbraco/Config/lang/en.xml Plus all the other languages in there, which will vary more for patch versions. Plus all the other js/xml/html files in the Umbraco folders that will change for most versions. Plus the login screen changes for all minor versions.

I think if people are this worried about version disclosure they should definitely add extra authentication before you can get to the backoffice URL! I'll close it as we're not overly worried about this right now. :)

Priority: Minor

Type: Bug

State: Closed


Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.6.1

Due in version:


Story Points: