A security vulnerability in the website CMS Umbraco could allow an attacker to access user credentials and possibly take a website over.
Cybersecurity firm Trustwave has shared its findings in a blog post on its website.
Trustwave researchers described a privilege escalation issue that could allow low-privileged users to get the status of admin and access various resources that are limited to higher privileged users.
The problem stems from an improper user request validation in API endpoint. The plugin API that “does not properly check the user’s authorization prior to returning results found in the application’s logging section,” the researchers explain.
Similar to WordPress, in this CMS, higher-privileged users can view log data in the administrative UI, besides performing administrative actions. While the low-privileged users can only view the content tab for Writers and can not see any other information within the application.
By accessing the logs, the unauthorized person could even get access to such critical details as usernames and passwords.
“The risk of the information leak will be contextualized based on what is actually logged by default or by whatever additional logging the application maintainer has decided to add. For example, custom logging of a failed authentication routine could potentially leak usernames and passwords to the log,” researchers write.
Trustwave found that in the Umbraco.Web.dll file, the LogViewerController class uses no authorization attributes for exposed endpoints, which makes numerous endpoints accessible for lower-privileged users with enough tech knowledge to pull this off.
Jonathan Yarema, a managing consultant at Trustwave, commented: “Conversely, there are other areas which do protect resources such as the UsersController wherein some methods are explicitly limited to Administrative users (“[AdminUsersAuthorize]” attribute) or must otherwise give permission to the controller (“[UmbracoApplicationAuthorize]”). A similar approach should be used for the LogViewerController to limit unauthorized access to its data.”
The issue relates to Umbraco versions 8.9.0 and 8.6.3.
Trustwave reported the flaws to Umbraco in line with the security firm’s Responsible Disclosure program. Umbraco subsequently issued a patch and recommended that affected users upgrade to Umbraco CMS 8.10.0 or higher.