U4-10497 - XSS Vulnerability in page name

Created by Ben Palmer 04 Oct 2017, 14:45:47 Updated by Sebastiaan Janssen 17 Oct 2017, 12:48:23


We've recently detected a security issue in Umbraco, the problem is that there is an exploit in the CMS possibly allowing XSS attacks. This is possible from low-end users who could trick another CMS user into actions that they shouldn't perform.

To recreate the issue:

  1. Create a new page
  2. For the page name (the box labelled 'Enter a name...') type something such as XSS TEST<script>alert('t')</script>
  3. Save and Publish the page using the green 'Save and Publish' button in the bottom right corner of the page
  4. When the is finished saving, right click on the new page in the 'Content' pane
  5. In the slide out menu, click 'Publish' - you should see a javascript alert box

Just a few supplementary notes:

  1. I've been able to recreate this issue on Umbraco Version 7.6.4 but haven't had chance to run the same test on 7.7 nor any older versions of Umbraco.

2.This only appears to be when clicking 'Publish' in the action menu, normally publishing seems to be fine.

  1. This only appears to work for the page title field, I've attempted the same in properties using rich text editors/TinyMCE, text fields, textareas but the malicious code doesn't appear to get executed in those instances.

I can add something easily enough to strip out the malicious code but going forward it'd be great if we could fix this in Umbraco itself.



1 Attachments

Download U4-10497.zip


Sebastiaan Janssen 04 Oct 2017, 14:49:14

Thanks, we were already working on a fix for this coming soon.

Ben Palmer 04 Oct 2017, 16:16:17

Great! Thanks for the update @sebastiaan

Sebastiaan Janssen 06 Oct 2017, 12:41:24

Fixed in https://github.com/umbraco/Umbraco-CMS/commit/fe2b86b681455ac975b294652064b2718d4e2ba2

Sebastiaan Janssen 17 Oct 2017, 11:19:48

Classified as medium priority. A malicious editor can perform a XSS attack on other users in the system provided the other user uses the right-click > Publish or the right-click > notifications menu items.

If you're really concerned about this on a older versions of Umbraco you can place the attached four files in ~/Umbraco/Dialogs/ - these are just the newest versions of notifications.aspx.cs and Publish.aspx.cs with the aspx files next to them pointing to the CodeFile instead of to CodeBehind. This means that the asp.cs file in the ~/Umbraco/Dialogs/ folder will be used instead of the CodeBehind built into the Umbraco dlls (built against Umbraco 7.0.0 and tested on v7.3.0 - should work in all versions though).

Sebastiaan Janssen 17 Oct 2017, 12:48:23

FYI: A different way to work around this issue on older versions of Umbraco (all the way down to 7.0.0) would be to have an ApplicationEventHandler (https://our.umbraco.org/documentation/Getting-Started/Code/Subscribing-To-Events/) that hooks into the Saving event. It should HtmlEncode the names of all nodes.

Something like this should do the trick (can be dropped into App_Code):

using Umbraco.Core; using Umbraco.Core.Services; using System.Web;

namespace U4_10497 { public class NodeNameSafeEventHandler: ApplicationEventHandler { protected override void ApplicationStarted(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext) { ContentService.Saving += ContentService_Saving; MediaService.Saving += MediaService_Saving; }

    private void MediaService_Saving(IMediaService sender, Umbraco.Core.Events.SaveEventArgs<Umbraco.Core.Models.IMedia> e)
        foreach (var mediaItem in e.SavedEntities)
            //first decode to prevent double encoding
            var title = HttpContext.Current.Server.HtmlDecode(mediaItem.Name);
            mediaItem.Name = HttpContext.Current.Server.HtmlEncode(title);

    private void ContentService_Saving(IContentService sender, Umbraco.Core.Events.SaveEventArgs<Umbraco.Core.Models.IContent> e)
        foreach (var content in e.SavedEntities)
            //first decode to prevent double encoding
            var title = HttpContext.Current.Server.HtmlDecode(content.Name);
            content.Name = HttpContext.Current.Server.HtmlEncode(title);


Priority: Normal

Type: Bug

State: Fixed


Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.6.4

Due in version: 7.7.3, 7.6.10


Story Points: 0.5

Cycle: 4