Umbraco is an open-source content management system (CMS) platform for publishing content on the World Wide Web and intranets. It is written in C# and deployed on Microsoft based infrastructure. It as one of the leading .NET-based open source CMS systems.
Technology wise, Umbraco is primarily written in C#, stores data in a relational database (commonly Microsoft SQL Server) and works on Microsoft IIS. Umbraco’s front-end is built upon Microsoft’s .NET Framework, using ASP.NET. Umbraco uses standard ASP.NET features such as ASP.NET “master pages” to facilitate the creation of reusable page layouts, and supports both Razor and XSLT. XSLT has been used for scripting, and in the past there was much debate as to which yielded better performance, since XML has been used for database storage and for the cache file (umbraco.config).
DefeseCode’s team of security researchers uncovered a potentially high risk vulnerability in Umbraco CMS. Umbraco CMS is vulnerable to an arbitrary file upload vulnerability that can lead to Remote Code Execution (depending on server configuration) and Stored Cross-Site Scripting vulnerabilities.
DefenseCode ThunderScan SAST was used to analyze the Umbraco CMS source code, with default scan configuration. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan performs fast and deep accurate analysis of large and complex source code projects delivering precise results and low false positive rate.
ThunderScan identified the following code logic as vulnerable:
The above logic is related to user avatar image uploads within the user profile (Source code file: /src/Umbraco.Web/Editors/UsersController.cs)
Due to a default scan configuration, the analysis with ThunderScan® did not take into the account custom input sanitization methods such as ToSafeFileName() , a string extension method used to prevent any filename manipulations that would allow for path traversal attacks, or file extension blacklisting checks against the DissallowedUploadedFiles list.
However, blacklist approach to the prevention of potentially dangerous files prompted deeper inspection of the application logic. The default list of disallowed extensions is defined in umbracoSettings.config file as:
<disallowedUploadFiles>
ashx,aspx,ascx,config,cshtml,vbhtml,asmx,air,axd,swf,xml,xhtml,html,htm,
php,htaccess
</disallowedUploadFiles>
Due to this approach, an attacker can resolve to extensions such as .wsdl, .xsl, .xsd and other XML based file types that will be served inline by Microsoft IIS and can contain malicious JavaScript code that can be executed by the victims browser, to effectively perform Stored Cross-Site Scripting attacks in default deployments of Umbraco CMS.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
This may be confirmed on the live instance of Umbraco CMS by submitting a POST upload request to the /umbraco/backoffice/UmbracoApi/Users/PostSetAvatar?id=1 endpoint. The extension used for the proof of concept file was .wsdl, with the following content:
<defensecode:script xmlns:defensecode="http://www.w3.org/1999/xhtml">alert('XSS')</defensecode:script>
Proof of Concept JavaScript execution upon visiting the URL of an uploaded file can be seen below:
In case the server supports Classic ASP, uploading .asp files can lead to remote code execution. This occurrence is not uncommon due to the need to support legacy applications hosted on the same server. The same can be said for servers with enabled HTTP Activation feature of WCF Services where .xamlx file uploads would be used for the same attack.
The vulnerability has was been reported to vendor on November 22, 2020, when the latest release of Umbraco CMS was at version 8.8.2. The report has been acknowledged by Umbraco security team on November 25, 2020. Only a single potentially dangerous extension has since been added in the default disallowed extensions list: xamlx.
This leaves the latest current version (8.12.1, at the time of this blog post) still prone to stored cross-site scripting attacks as well as potential remote code execution through Classic ASP files.
Above vulnerability content is being shared by DefenseCode’s Tanja Stabek to E-SPIN on 25-Mar-2021. All software application develop by the human, no matter how experience you are, when it run over million and million of the code, as per the industry best practice, complement it with the static application security testing (SAST) to perform automated real time or schedule source code scan, it one of the best practice to capture as many vulnerability in as early of the development lifecycle, and at the same time, improve the quality of the application, and less likely be attack by the hacker.
E-SPIN Group in the enterprise ICT solution supply, consulting, project management, training and maintenance for multinational corporations and government agencies across the region, since 2005. For the application security testing (AST) domain, E-SPIN being supply end to end from dynamic application security testing (DAST), static application security testing (SAST), interactive application security testing (IAST), software composition analysis (SCA), mobile application security testing (Mobile AST), and manual application security testing (MAST) for various deployment and use case, for the various leading multinational corporation, to government agencies, include national cybersecurity cyber defensive or cyber offensive center, vulnerability assessment and research lab and various modern red team. Feel free to contact E-SPIN for the various project requirements and inquiry.
