CVE-2019-13957

gistfile1.txt

> [Suggested description]
> In Umbraco custom Backoffice API Controller , there is
> SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName parameter.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> SQL Injection
> 
> ------------------------------------------
> 
> [Vendor of Product]
> umbraco custom Backoffice API Controller
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> umbraco  backoffice custom Backoffice API Controller
> 
> ------------------------------------------
> 
> [Affected Component]
> https://www.example.com/umbraco/backoffice/PageWApprove/PageWApproveApi/GetInpectSearch?startdate=2019-05-07&enddate=2019-06-06&userName=chtpt&nodeName='%20waitfor%20delay'0%3a0%3a20'--
> 
> ------------------------------------------
> 
> [Attack Type]
> Remote
> 
> ------------------------------------------
> 
> [Impact Code execution]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://our.umbraco.com/download/releases/738/
> 
> ------------------------------------------
> 
> [Discoverer]
> CHT Security/hans

Hi
Got it. It's a custom Backoffice API Controller SQLI by developers.
Could Umbraco CMS provide SQLI filters to help developers avoid SQLI attacks.
just like Microsoft Anti-XSS Library.

From (https://our.umbraco.com/documentation/reference/routing/webapi/)
If you are creating a controller to work within the Umbraco backoffice then you will need to ensure that it is secured properly by inheriting from: UmbracoAuthorizedApiController or UmbracoAuthorizedJsonController.

@shiham101 Umbraco is basically "just" a framework running on top of ASP.NET MVC. You are free to use any sort of Anti-XSS library (such as the Microsoft one) within your controllers (and Umbraco controllers as well, as they are just extended MVC controllers).

We cannot really control what developers decide to do or how they decide to code their custom controllers, so force applying filters is not something we can (or should) do. It is also not the responsibility of a CMS to provide helper methods for preventing XSS - we are not experts in this field and whatever we did would most likely not be on par or kept properly maintained. You would be much better off using an external and maintained library built specifically for this kind of thing.

The "secured properly" we're referring to in the documentation there, is authentication/authorization. By inheriting from these base controllers you will automatically get your controllers protected by the auth mechanisms of Umbraco (require backoffice authentication). If you did not do this, anyone would be able to call these controllers without being authenticated, as long as they knew what URL to request.

I got your points. But in my option authentication/authorization is a part of security features
and input validation is too. Developers could make the code secure with themselves.

More Information only highlighted the Authenticating & Authorizing. inheriting from UmbracoAuthorizedApiController or UmbracoAuthorizedJsonController to avoid Forced browsing attacks.

Maybe could add some OWASP Prevention Cheat Sheet to help developers understand that
how to create a custom Backoffice API Controller without XSS and SQLI attacks .

It is, but it is not really the responsibility of neither us or the CMS documentation to educate developers in best practices on standard framework/code topics and skills that any developer should possess. Our documentation will contain information related to Umbraco and the APIs, extensions and features we make available - it is not supposed to serve directly as an educational resource for developers to learn to write better code. There's much better resources available for you if you have that need.