Last active
November 16, 2019 12:40
-
-
Save shiham101/d1de44d1dcf2c33d401ef2f8cbb04f9f to your computer and use it in GitHub Desktop.
CVE-2019-13957
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| > [Suggested description] | |
| > In Umbraco custom Backoffice API Controller , there is | |
| > SQL Injection in the backoffice/PageWApprove/PageWApproveApi/GetInpectSearch method via the nodeName parameter. | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Vulnerability Type] | |
| > SQL Injection | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Vendor of Product] | |
| > umbraco custom Backoffice API Controller | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Affected Product Code Base] | |
| > umbraco backoffice custom Backoffice API Controller | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Affected Component] | |
| > https://www.example.com/umbraco/backoffice/PageWApprove/PageWApproveApi/GetInpectSearch?startdate=2019-05-07&enddate=2019-06-06&userName=chtpt&nodeName='%20waitfor%20delay'0%3a0%3a20'-- | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Attack Type] | |
| > Remote | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Impact Code execution] | |
| > true | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Reference] | |
| > https://our.umbraco.com/download/releases/738/ | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Discoverer] | |
| > CHT Security/hans |
It is, but it is not really the responsibility of neither us or the CMS documentation to educate developers in best practices on standard framework/code topics and skills that any developer should possess. Our documentation will contain information related to Umbraco and the APIs, extensions and features we make available - it is not supposed to serve directly as an educational resource for developers to learn to write better code. There's much better resources available for you if you have that need.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I got your points. But in my option authentication/authorization is a part of security features
and input validation is too. Developers could make the code secure with themselves.
More Information only highlighted the Authenticating & Authorizing. inheriting from UmbracoAuthorizedApiController or UmbracoAuthorizedJsonController to avoid Forced browsing attacks.
Maybe could add some OWASP Prevention Cheat Sheet to help developers understand that
how to create a custom Backoffice API Controller without XSS and SQLI attacks .