Serviceteam IT Security News

Cybersecurity firm Trustwave has uncovered a security vulnerability in the popular website CMS, Umbraco. In a blog post on its website, Trustwave researchers outlined details of a privilege escalation issue which allows low privileged users to elevate themselves to the status of admin.

The problem resides in an API endpoint that does not properly check the user’s authorization prior to returning results found to the application’s logging section.

In the CMS, higher privileged users, i.e. administrators, are able to view log data in the administrative UI, which contains any information inserted into the application logs. To test the risk of any of this information being leaked, the administrator creates a lower privileged user who is placed into the Writers group. This means the low privileged user can only view the content tab indicating the intent of limiting what Writers can do or see within the application.

The low privileged user then authenticates to the application, and is provided with the necessary cookies and headers to access it; these identifiers can then enable the low privileged user to access the API endpoint, which returns log data that should only be available to the administrator.

Trustwave revealed the reason for this was that in the Umbraco.Web.dll, the LogViewerController class uses no granular authorization attributes on its exposed endpoints, meaning numerous endpoints are accessible for lower privileged users.

Jonathan Yarema, managing consultant, SpiderLabs at Trustwave, commented in the blog: “Conversely, there are other areas which do protect resources such as the UsersController wherein some methods are explicitly limited to Administrative users (“[AdminUsersAuthorize]” attribute) or must otherwise give permission to the controller (“[UmbracoApplicationAuthorize]”). A similar approach should be used for the LogViewerController to limit unauthorized access to its data.”

The issue has been observed in Umbraco versions 8.9.0 and 8.6.3.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *