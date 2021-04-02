Infosecurity Group Websites
Latest
News

Trustwave Uncovers Vulnerability in Popular Website CMS

Cybersecurity firm Trustwave has uncovered a security vulnerability in the popular website CMS, Umbraco. In a blog post on its website, Trustwave researchers outlined details of a privilege escalation issue which allows low privileged users to elevate themselves to the status of admin.

The problem resides in an API endpoint that does not properly check the user’s authorization prior to returning results found to the application’s logging section.

In the CMS, higher privileged users, i.e. administrators, are able to view log data in the administrative UI, which contains any information inserted into the application logs. To test the risk of any of this information being leaked, the administrator creates a lower privileged user who is placed into the Writers group. This means the low privileged user can only view the content tab indicating the intent of limiting what Writers can do or see within the application.

The low privileged user then authenticates to the application, and is provided with the necessary cookies and headers to access it; these identifiers can then enable the low privileged user to access the API endpoint, which returns log data that should only be available to the administrator.

Trustwave revealed the reason for this was that in the Umbraco.Web.dll, the LogViewerController class uses no granular authorization attributes on its exposed endpoints, meaning numerous endpoints are accessible for lower privileged users.

Jonathan Yarema, managing consultant, SpiderLabs at Trustwave, commented in the blog: “Conversely, there are other areas which do protect resources such as the UsersController wherein some methods are explicitly limited to Administrative users (“[AdminUsersAuthorize]” attribute) or must otherwise give permission to the controller (“[UmbracoApplicationAuthorize]”). A similar approach should be used for the LogViewerController to limit unauthorized access to its data.”

The issue has been observed in Umbraco versions 8.9.0 and 8.6.3.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

Booking.com Fined $558,000 for Late Breach Notification

2
News

Scammers Selling Fake #COVID19 Vaccination Cards for Just $20

3
News

North Korean Hackers Expand Targeting of Security Community

4
News

UK Cyber Security Council Officially Launches as Independent Body

5
News

IRS Warns of Higher Education Phishing Scam

6
News

DeepDotWeb Administrator Admits Darknet Conspiracy

1
News

Troll Fined $81 After Victim Kills Herself

2
News

Microsoft Suffers Second Outage in Two Weeks

3
Opinion

Communication is Crucial in the Fight Against Phishing Scams

4
News

Trustwave Uncovers Vulnerability in Popular Website CMS

5
Opinion

Securing Critical National Infrastructure: The Top Four Obstacles to Overcome

6
News

Cybersecurity Firm ReliaQuest Announces New Senior Appointments

1
Webinar

SOC for the Future: Transforming Security Operations' Speed and Stamina for Recovery

2
Webinar

Security Mythbusting: Dismantling the Top Five API Myths

3
Webinar

The Vulnerability Landscape: Security Trends from 2020

4
Webinar

Pharma Drama: Interactive Crisis Simulation of an Insider Threat

5
Webinar

Securing the #COVID19 Vaccine & Supply Chain

6
Webinar

Supply Chain Security: Easing the Headache of Third-Party Risk Assessments

1
Online Summit

[On-Demand] Infosecurity Magazine Spring Online Summit - EMEA 2021

2
Webinar

Security Mythbusting: Dismantling the Top Five API Myths

3
Online Summit

[On-Demand] Infosecurity Magazine Spring Online Summit - North America 2021

4
News Feature

Census 2021: How Safe Will Our Data Be Over the Next 100 Years?

5
Opinion

How Behavioral Biometrics is Combating Credential Stuffing Attacks

6
Webinar

Securing the #COVID19 Vaccine & Supply Chain