Umbraco CMS Unrestricted File Upload Vulnerability
Umbraco CMS Vulnerability Summary
Version: Umbraco CMS v7.5.9
Release Date: 2nd June 2017
Umbraco CMS was found to be vulnerable to an unrestricted file upload vulnerability flaw.
Impact of the Umbraco CMS Vulnerability
Exploiting this vulnerability enables an adversary to upload arbitrary malicious files to the underlying web server, resulting in the application becoming vulnerable to stored Cross-Site-Scripting and client-side attacks.
Umbraco CMS Vulnerability Technical Details
A number of vulnerable resources were found, showing it was possible to circumvent blacklist filtering techniques. These techniques are implemented to prevent the upload of malicious file types e.g. an adversary uploading files with an arbitrary file extension.
This circumvention was achieved by appending trailing white-space to the value of the filename parameter and by using a variety of alternative extensions when submitting data to the following resources:
Affected Umbraco CMS Products
The application versions affected are confirmed as:
- Umbraco CMS v7.5.4
- Umbraco CMS v7.5.6
- Umbraco CMS v7.5.9
The Solution to the Umbraco CMS Vulnerability
Upgrade to Umbraco version 7.6.1
Note: Umbraco confirmed fix in version 7.5.11, confirmed by Perspective Risk in version 7.6.1
Umbraco CMS Vulnerability Timetable
09/11/2016: Perspective Risk reports vulnerability to vendor
22/11/2016: Vendor releases fixed version of the application
22/11/2016: Vendor publishes advisory
03/01/2017: Perspective Risk reports second vulnerability to vendor
05/01/2017: Vendor publishes a fix
20/02/2017: Perspective risk reports third vulnerability to vendor
22/02/2017: Vendor acknowledges third vulnerability and publishes a fix
10/05/2017: Perspective Risk confirms vendor’s fixes are implemented
Umbraco CMS Vulnerability Credits
Discovered by Kai Stimpson, Security Consultant at Perspective Risk.
Umbraco Issue Tracer:
If you would like Perspective Risk’s advice with any element of your cyber security, you are very welcome to contact us.