We don't release 0days... except when vendors show no interest in fixing their their bugs.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Matta Consulting - Matta Advisory https://www.trustmatta.com Umbraco Open Proxy Vulnerability
Advisory ID: MATTA-2012-001 CVE reference: CVE-2012-1301 Affected platforms: Umbraco Version: 4.x Date: 2012-January-26 Security risk: High Vulnerability: Umbraco bundles a script behaving like an open-proxy Researcher: Florent Daigniere Vendor Status: Notified Vulnerability Disclosure Policy: https://www.trustmatta.com/advisories/matta-disclosure-policy-01.txt Permanent URL: https://www.trustmatta.com/advisories/MATTA-2012-001.txt
Vulnerable installations of Umbraco allow unauthenticated users to abuse the script FeedProxy.aspx into proxying requests on their behalf through the "url" parameter.
Anyone with access to the management interface of umbraco can abuse FeedProxy script into proxying requests for them.
The impact of such vulnerability is difficult to measure and depends on the specifics of the deployment. Typically, this can allow attackers to connect to other systems, bypassing controls or be abused to trick users and browsers into performing actions they wouldn't otherwise consider (XSS, phishing, ...).
This particular vulnerability can also be abused to create a powerful Denial of Service: a single recursive proxy-request will take the application server down and, depending on the configuration of the server, might severely affect unrelated services.
===================================================================== Versions affected:
Umbraco version 4.7.0 tested.
===================================================================== Threat mitigation
Matta consultants recommend deleting the FeedProxy script or upgrading umbraco to version 5+.
This vulnerability was discovered and researched by Florent Daigniere from Matta Consulting.
26-01-12 initial discovery 21-02-12 initial attempt to contact the vendor 24-02-12 second attempt to contact the vendor 27-02-12 third attempt to contact the vendor 27-02-12 response from the vendor \o/ 27-02-12 draft of this advisory is sent to the vendor 29-02-12 CVE-2012-1301 is assigned 05-04-12 publication of the advisory
===================================================================== About Matta
Matta is a privately held company with Headquarters in London, and a European office in Amsterdam. Established in 2001, Matta operates in Europe, Asia, the Middle East and North America using a respected team of senior consultants. Matta is an accredited provider of Tiger Scheme training; conducts regular research and is the developer behind the webcheck application scanner, and colossus network scanner.
https://www.trustmatta.com https://www.trustmatta.com/training.html https://www.trustmatta.com/webapp_va.html https://www.trustmatta.com/network_va.html
===================================================================== Disclaimer and Copyright
Copyright (c) 2012 Matta Consulting Limited. All rights reserved. This advisory may be distributed as long as its distribution is free-of-charge and proper credit is given.
The information provided in this advisory is provided "as is" without warranty of any kind. Matta Consulting disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Matta Consulting or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Matta Consulting or its suppliers have been advised of the possibility of such damages. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJPfWvwAAoJEG6QUCsisixssyUH/3R6+ziOQBHR9UKiNXfCnGz6 aR6h7tribWMskEb2t6RXGoEB4BS2upnzIqHYz15VbaOCHA3Gs3oUYvvsaQunf+bu taYuuDW4dHEoHnuTHrcLELmczRDmg0hAnyYaE1oizQikUgnSWJ1zeqTxdh6PH3vi cXrduM7mBZl2dJpIEOCCDspqxAMkv+qostOBQwW3xlLDKE+eyD+DzwMzWBU9WRXQ dT6X8tp2MQb4Ut5sp8NOeq5mQlCjFpEMp3XZtekEDofMd3vH0V+1QRwOOZ3an+u1 VOAOIN+1KzRuIPHAH0XUKz07OQOUhD1DGPqFl+Hajk2XO0zh5X7Y0uVQ9KLp8C0= =rBjG -----END PGP SIGNATURE-----