Cybersecurity firm Trustwave has uncovered a security vulnerability in the well-known site CMS, Umbraco. In a blog put up on its internet site, Trustwave researchers outlined details of a privilege escalation issue which will allow reduced privileged buyers to elevate themselves to the standing of admin.
The difficulty resides in an API endpoint that does not adequately check the user’s authorization prior to returning effects located to the application’s logging segment.
In the CMS, higher privileged users, i.e. administrators, are in a position to check out log information in the administrative UI, which is made up of any information and facts inserted into the application logs. To examination the risk of any of this facts staying leaked, the administrator makes a decrease privileged consumer who is positioned into the Writers group. This signifies the minimal privileged person can only watch the written content tab indicating the intent of limiting what Writers can do or see within just the software.
The minimal privileged person then authenticates to the software, and is furnished with the vital cookies and headers to obtain it these identifiers can then enable the low privileged consumer to obtain the API endpoint, which returns log facts that need to only be accessible to the administrator.
Trustwave exposed the explanation for this was that in the Umbraco.Web.dll, the LogViewerController course uses no granular authorization attributes on its exposed endpoints, indicating several endpoints are accessible for decreased privileged buyers.
Jonathan Yarema, taking care of marketing consultant, SpiderLabs at Trustwave, commented in the blog: “Conversely, there are other parts which do secure means these kinds of as the UsersController wherein some procedures are explicitly confined to Administrative end users (“[AdminUsersAuthorize]” attribute) or must otherwise give permission to the controller (“[UmbracoApplicationAuthorize]”). A very similar approach should really be utilised for the LogViewerController to restrict unauthorized entry to its info.”
The issue has been observed in Umbraco versions 8.9. and 8.6.3.
Some pieces of this post are sourced from: