Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2019-13957
> [Suggested description]
> In Umbraco custom Backoffice API Controller , there is
> SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName parameter.
>
> ------------------------------------------
>
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> umbraco custom Backoffice API Controller
>
> ------------------------------------------
>
> [Affected Product Code Base]
> umbraco backoffice custom Backoffice API Controller
>
> ------------------------------------------
>
> [Affected Component]
> https://www.example.com/umbraco/backoffice/PageWApprove/PageWApproveApi/GetInpectSearch?startdate=2019-05-07&enddate=2019-06-06&userName=chtpt&nodeName='%20waitfor%20delay'0%3a0%3a20'--
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Reference]
> https://our.umbraco.com/download/releases/738/
>
> ------------------------------------------
>
> [Discoverer]
> CHT Security/hans
@ArnoldV

This comment has been minimized.

Copy link

@ArnoldV ArnoldV commented Oct 3, 2019

This seems to be in a custom Backoffice API Controller someone build on top of Umbraco and not in the CMS itself. Probably a specific site even? Details of this functionality: https://our.umbraco.com/documentation/reference/routing/webapi/

@clausjensen

This comment has been minimized.

Copy link

@clausjensen clausjensen commented Oct 3, 2019

@shiham101 This has nothing to with the official Umbraco CMS 7.3.8 release. Would you please be kind as to remove/cancel this CVE as it is not valid.

As Arnold mentions - this is a custom controller someone has added to their Umbraco installation, which Umbraco itself cannot be held accountable for. It is also not something you would see in any other site running this Umbraco version.

If you think otherwise - please point to the location in the source code (which is publicly available on github here: https://github.com/umbraco/Umbraco-CMS) and tell us where you believe the problem is.

@shiham101

This comment has been minimized.

Copy link
Owner Author

@shiham101 shiham101 commented Nov 15, 2019

Hi
Got it. It's a custom Backoffice API Controller SQLI by developers.
Could Umbraco CMS provide SQLI filters to help developers avoid SQLI attacks.
just like Microsoft Anti-XSS Library.

From (https://our.umbraco.com/documentation/reference/routing/webapi/)
If you are creating a controller to work within the Umbraco backoffice then you will need to ensure that it is secured properly by inheriting from: UmbracoAuthorizedApiController or UmbracoAuthorizedJsonController.

@clausjensen

This comment has been minimized.

Copy link

@clausjensen clausjensen commented Nov 15, 2019

@shiham101 Umbraco is basically "just" a framework running on top of ASP.NET MVC. You are free to use any sort of Anti-XSS library (such as the Microsoft one) within your controllers (and Umbraco controllers as well, as they are just extended MVC controllers).

We cannot really control what developers decide to do or how they decide to code their custom controllers, so force applying filters is not something we can (or should) do. It is also not the responsibility of a CMS to provide helper methods for preventing XSS - we are not experts in this field and whatever we did would most likely not be on par or kept properly maintained. You would be much better off using an external and maintained library built specifically for this kind of thing.

The "secured properly" we're referring to in the documentation there, is authentication/authorization. By inheriting from these base controllers you will automatically get your controllers protected by the auth mechanisms of Umbraco (require backoffice authentication). If you did not do this, anyone would be able to call these controllers without being authenticated, as long as they knew what URL to request.

@shiham101

This comment has been minimized.

Copy link
Owner Author

@shiham101 shiham101 commented Nov 15, 2019

I got your points. But in my option authentication/authorization is a part of security features
and input validation is too. Developers could make the code secure with themselves.

More Information only highlighted the Authenticating & Authorizing. inheriting from UmbracoAuthorizedApiController or UmbracoAuthorizedJsonController to avoid Forced browsing attacks.

Maybe could add some OWASP Prevention Cheat Sheet to help developers understand that
how to create a custom Backoffice API Controller without XSS and SQLI attacks .

@clausjensen

This comment has been minimized.

Copy link

@clausjensen clausjensen commented Nov 16, 2019

It is, but it is not really the responsibility of neither us or the CMS documentation to educate developers in best practices on standard framework/code topics and skills that any developer should possess. Our documentation will contain information related to Umbraco and the APIs, extensions and features we make available - it is not supposed to serve directly as an educational resource for developers to learn to write better code. There's much better resources available for you if you have that need.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment