Experts discovered a privilege escalation issue in popular Umbraco CMS

Experts discovered a vulnerability in the popular CMS Umbraco that could allow low privileged users to escalate privileges to “admin.”

Security experts from Trustwave have discovered a privilege escalation vulnerability in the popular website CMS, Umbraco.

The vulnerability affects an API endpoint that fails to properly check the user’s authorization prior to returning results found to the application’s logging section.

“Umbraco version 8.9.0 (also seen in 8.6.3) has a privilege escalation issue in the core administrative screens which allows a low privileged user to access various resources otherwise limited to higher privileged users.” reads the post published by Trustwave. “The issue exists in an API endpoint that does not properly check the user’s authorization prior to returning results found in the application’s logging section.”

Users with higher privileges (i.e. Administrator) has the ability to view log data in the administrative UI.

The log data include information inserted into the application logs per configuration or generated by custom exception handling routines. 

Experts demonstrated the existence of the flaw using an Administrator user to create a lower privileged user and placed it in the Writers group, which has limited access to the application. 

The new user can only view the content tab indicating the intent of limiting what Writers can do or see within the application.

Upon authentication to the application, the low-privileged user is given the requisite cookies and headers in order to access it.

The low privileged user then authenticates to the application, and is provided with the necessary cookies and headers to access it.

“Using these identifiers, the low privileged user can access the API endpoint which returns the log data only available to the Administrator via the UI” continues the analysis published by Trustwave. “It was observed in the Umbraco.Web.dll that the LogViewerController class uses no granular authorization attributes on its exposed endpoints.”

Trustwave researchers discovered that the Umbraco.Web.dll library used by the LogViewerController class doesn’t properly implement the authorization process on its exposed endpoints, this means that endpoints are accessible for lower privileged users.

“Conversely, there are other areas which do protect resources such as the UsersController wherein some methods are explicitly limited to Administrative users (“[AdminUsersAuthorize]” attribute) or must otherwise give permission to the controller (“[UmbracoApplicationAuthorize]”).” concludes the analysis. “A similar approach should be used for the LogViewerController to limit unauthorized access to its data.”

The privilege escalation issue affects Umbraco versions 8.9.0 and 8.6.3, while version 7.x is not affected by this vulnerability.

The development team behind the CMS quickly addressed the flaw with the release of Umbraco CMS 8.10.0.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, privilege escalation)

[adrotate banner=”5″]

[adrotate banner=”13″]