Security experts from Trustwave have discovered a privilege escalation vulnerability in the popular website CMS, Umbraco.
The vulnerability affects an API endpoint that fails to properly check the user’s authorization prior to returning results found to the application’s logging section.
“Umbraco version 8.9.0 (also seen in 8.6.3) has a privilege escalation issue in the core administrative screens which allows a low privileged user to access various resources otherwise limited to higher privileged users.” reads the post published by Trustwave. “The issue exists in an API endpoint that does not properly check the user’s authorization prior to returning results found in the application’s logging section.”
Users with higher privileges (i.e. Administrator) has the ability to view log data in the administrative UI.
The log data include information inserted into the application logs per configuration or generated by custom exception handling routines.
Experts demonstrated the existence of the flaw using an Administrator user to create a lower privileged user and placed it in the Writers group, which has limited access to the application.
The new user can only view the content tab indicating the intent of limiting what Writers can do or see within the application.
Upon authentication to the application, the low-privileged user is given the requisite cookies and headers in order to access it.
The low privileged user then authenticates to the application, and is provided with the necessary cookies and headers to access it.
“Using these identifiers, the low privileged user can access the API endpoint which returns the log data only available to the Administrator via the UI” continues the analysis published by Trustwave. “It was observed in the Umbraco.Web.dll that the LogViewerController class uses no granular authorization attributes on its exposed endpoints.”
Trustwave researchers discovered that the Umbraco.Web.dll library used by the LogViewerController class doesn’t properly implement the authorization process on its exposed endpoints, this means that endpoints are accessible for lower privileged users.
“Conversely, there are other areas which do protect resources such as the UsersController wherein some methods are explicitly limited to Administrative users (“[AdminUsersAuthorize]” attribute) or must otherwise give permission to the controller (“[UmbracoApplicationAuthorize]”).” concludes the analysis. “A similar approach should be used for the LogViewerController to limit unauthorized access to its data.”
The privilege escalation issue affects Umbraco versions 8.9.0 and 8.6.3, while version 7.x is not affected by this vulnerability.
The development team behind the CMS quickly addressed the flaw with the release of Umbraco CMS 8.10.0.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, privilege escalation)
[adrotate banner=”5″]
[adrotate banner=”13″]
An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost.…
Russia-linked APT Sandworm employed a previously undocumented backdoor called Kapeka in attacks against Eastern Europe since…
Cisco has addressed a high-severity vulnerability in its Integrated Management Controller (IMC) for which publicly…
Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…
Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…
Researchers released an exploit code for the actively exploited vulnerability CVE-2024-3400 in Palo Alto Networks'…
This website uses cookies.