Announcement: Umbraco Security Vulnerability

Announcement: Umbraco Security Vulnerability

Umbraco CMS Unrestricted File Upload Vulnerability

Umbraco CMS Vulnerability Summary

Vendor: Umbraco
Version: Umbraco CMS v7.5.9
Release Date: 2nd June 2017

Umbraco CMS was found to be vulnerable to an unrestricted file upload vulnerability flaw.

Impact of the Umbraco CMS Vulnerability

Exploiting this vulnerability enables an adversary to upload arbitrary malicious files to the underlying web server, resulting in the application becoming vulnerable to stored Cross-Site-Scripting and client-side attacks.

Umbraco CMS Vulnerability Technical Details

A number of vulnerable resources were found, showing it was possible to circumvent blacklist filtering techniques. These techniques are implemented to prevent the upload of malicious file types e.g. an  adversary uploading files with an arbitrary file extension.

This circumvention was achieved by appending trailing white-space to the value of the filename parameter and by using a variety of alternative extensions when submitting data to the following resources:

/umbraco/backoffice/UmbracoApi/Media/PostSave

/umbraco/backoffice/UmbracoApi/Media/PostAddFile

Affected Umbraco CMS Products

The application versions affected are confirmed as:

  • Umbraco CMS v7.5.4
  • Umbraco CMS v7.5.6
  • Umbraco CMS v7.5.9

The Solution to the Umbraco CMS Vulnerability

Upgrade to Umbraco version 7.6.1

Note: Umbraco confirmed fix in version 7.5.11, confirmed by Perspective Risk in version 7.6.1

Umbraco CMS Vulnerability Timetable

09/11/2016: Perspective Risk reports vulnerability to vendor

22/11/2016: Vendor releases fixed version of the application

22/11/2016: Vendor publishes advisory

03/01/2017: Perspective Risk reports second vulnerability to vendor

05/01/2017: Vendor publishes a fix

20/02/2017: Perspective risk reports third vulnerability to vendor

22/02/2017: Vendor acknowledges third vulnerability and publishes a fix

10/05/2017: Perspective Risk confirms vendor’s fixes are implemented

Umbraco CMS Vulnerability Credits

Discovered by Kai Stimpson, Security Consultant at Perspective Risk.

Umbraco References

Reporting a security vulnerability to Umbraco

Umbraco Issue Tracer:

Unrestricted File Upload Vulnerability

Security: files of type xhtml should not be allowed to be uploaded to the media section

Media uploads currently use a blacklist – should add a whitelist as well for security

If you would like Perspective Risk’s advice with any element of your cyber security, you are very welcome to contact us.

Related Content

PRCON 2011
Announcements

PRCON 2011

Whilst we are ardent supporters of maintaining a healthy balance between work and life and well awar...

Read More 30 Aug 2011
Welcome to the Perspective Risk Blog
Announcements

Welcome to the Perspective Risk Blog

The Perspective Risk blog has been created to provide information security resources to the penetrat...

Read More 4 Jan 2012