Trustwave’s security experts have detected a privilege escalation flaw in the leading website CMS Umbraco. The flaw impacts an API endpoint that can not correctly verify the user’s authorization before returning results found to the logging section of the application.

“Umbraco version 8.9.0 (also seen in 8.6.3) has a privilege escalation issue in the core administrative screens which allows a low privileged user to access various resources otherwise limited to higher privileged users.” reads the post published by Trustwave.

“The issue exists in an API endpoint that does not properly check the user’s authorization prior to returning results found in the application’s logging section.”

Administrators or users with greater privileges can view log data in the administrative UI. This log data entails data inserted into the application logs per configuration or generated through custom exception handling routines. Trustwave’s security experts showed the presence of the vulnerability by making the use of an Administrator user to generate a lower privileged user and insert it in the Writers group that has restricted access to the application. In order to restrict the activities of the Writers; what they can do or see within the application, the new user has been only permitted to view the content tab. On authentication to the application, the low-privileged user is offered the relevant cookies and headers to process it.

“Using these identifiers, the low privileged user can access the API endpoint, which returns the log data only available to the Administrator via the UI” c, continues the analysis published by Trustwave. “It was observed in the Umbraco.Web.dll that the LogViewerController class uses no granular authorization attributes on its exposed endpoints.”

It has been detected by the researchers of Trustwave that the Umbraco.Web.dil library that the LogViewerController class has exploited does not correctly apply the authorization process on end exposed endpoints has means that only the lower privileged users may access the endpoints. “Conversely, there are other areas which do protect resources such as the UsersController wherein some methods are explicitly limited to Administrative users (“[AdminUsersAuthorize]” attribute) or must otherwise permit the controller (“[UmbracoApplicationAuthorize]”).” concludes the analysis. “A similar approach should be used for the LogViewerController to limit unauthorized access to its data.”