Description

MWR Labs have discovered a vulnerability in Umbraco CMS, which would allow an unauthenticated attacker to execute arbitrary ASP.Net code on the affected server. The vulnerability exists in the TemplateService component, which is exposed by default via a SOAP-based web service.

The vulnerability is caused due to the update() function not checking that the user has authenticated before processing the request. The functionality of the update() function allows a user to update the contents of templates for the CMS. This vulnerability can be exploited by sending a specially crafted SOAP request to the TemplateService component, updating the CMS template to contain malicious ASP.Net code. If should be noted that this vulnerability affects instances of Umbraco CMS, even when the web services interface is not explicitly enabled.

Remediation

The vendor has released a fix for this issue, which removes the web services component completely.

If it is not possible to apply this fix, MWR propose adding a call to the Authenticate() function at the start of the TemplateService update() function. It should be noted that this is not an approved fix by the vendor, and care should be taken to ensure that this does not affect the operation of the application.

References

Related Vulnerabilities