Experts discovered a privilege escalation issue in popular Umbraco CMS

Experts discovered a vulnerability in the popular CMS Umbraco that could allow low privileged users to escalate privileges to “admin.”

Security experts from Trustwave have discovered a privilege escalation vulnerability in the popular website CMS, Umbraco.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

The vulnerability affects an API endpoint that fails to properly check the user’s authorization prior to returning results found to the application’s logging section.

“Umbraco version 8.9.0 (also seen in 8.6.3) has a privilege escalation issue in the core administrative screens which allows a low privileged user to access various resources otherwise limited to higher privileged users.” reads the post published by Trustwave. “The issue exists in an API endpoint that does not properly check the user’s authorization prior to returning results found in the application’s logging section.”

Experts discovered a privilege escalation issue in popular Umbraco CMS

Users with higher privileges (i.e. Administrator) has the ability to view log data in the administrative UI.

The log data include information inserted into the application logs per configuration or generated by custom exception handling routines. 

Experts demonstrated the existence of the flaw using an Administrator user to create a lower privileged user and placed it in the Writers group, which has limited access to the application. 

The new user can only view the content tab indicating the intent of limiting what Writers can do or see within the application.

Upon authentication to the application, the low-privileged user is given the requisite cookies and headers in order to access it.

The low privileged user then authenticates to the application, and is provided with the necessary cookies and headers to access it.

“Using these identifiers, the low privileged user can access the API endpoint which returns the log data only available to the Administrator via the UI” continues the analysis published by Trustwave. “It was observed in the Umbraco.Web.dll that the LogViewerController class uses no granular authorization attributes on its exposed endpoints.”

Trustwave researchers discovered that the Umbraco.Web.dll library used by the LogViewerController class doesn’t properly implement the authorization process on its exposed endpoints, this means that endpoints are accessible for lower privileged users.

“Conversely, there are other areas which do protect resources such as the UsersController wherein some methods are explicitly limited to Administrative users (“[AdminUsersAuthorize]” attribute) or must otherwise give permission to the controller (“[UmbracoApplicationAuthorize]”).” concludes the analysis. “A similar approach should be used for the LogViewerController to limit unauthorized access to its data.”

The privilege escalation issue affects Umbraco versions 8.9.0 and 8.6.3, while version 7.x is not affected by this vulnerability.

The development team behind the CMS quickly addressed the flaw with the release of Umbraco CMS 8.10.0.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, privilege escalation)

The post Experts discovered a privilege escalation issue in popular Umbraco CMS appeared first on Security Affairs.

By admin