- Beyond encryption: The zero-knowledge revolution for personal data
- Cisco, Nutanix strengthen joint HCI package
- Get Inspired and Go Beyond with Cisco Customer Experience at Cisco Live
- BreachForums seized! One of the world's largest hacking forums is taken down by the FBI... again
- Partners, Let’s Go Beyond Customer Experience at Cisco Live!
Trustwave Uncovers Vulnerability in Popular Website CMS
Cybersecurity firm Trustwave has uncovered a security vulnerability in the popular website CMS, Umbraco. In a blog post on its website, Trustwave researchers outlined details of a privilege escalation issue which allows low privileged users to elevate themselves to the status of admin.
The problem resides in an API endpoint that does not properly check the user’s authorization prior to returning results found to the application’s logging section.
In the CMS, higher privileged users, i.e. administrators, are able to view log data in the administrative UI, which contains any information inserted into the application logs. To test the risk of any of this information being leaked, the administrator creates a lower privileged user who is placed into the Writers group. This means the low privileged user can only view the content tab indicating the intent of limiting what Writers can do or see within the application.
The low privileged user then authenticates to the application, and is provided with the necessary cookies and headers to access it; these identifiers can then enable the low privileged user to access the API endpoint, which returns log data that should only be available to the administrator.
Trustwave revealed the reason for this was that in the Umbraco.Web.dll, the LogViewerController class uses no granular authorization attributes on its exposed endpoints, meaning numerous endpoints are accessible for lower privileged users.
Jonathan Yarema, managing consultant, SpiderLabs at Trustwave, commented in the blog: “Conversely, there are other areas which do protect resources such as the UsersController wherein some methods are explicitly limited to Administrative users (“[AdminUsersAuthorize]” attribute) or must otherwise give permission to the controller (“[UmbracoApplicationAuthorize]”). A similar approach should be used for the LogViewerController to limit unauthorized access to its data.”
The issue has been observed in Umbraco versions 8.9.0 and 8.6.3.