We have moved to GitHub Issues
You are viewing the read-only archive of Umbraco's issue tracker. To create new issues, please head over to GitHub Issues.
Make sure to read the blog posts announcing the move for more information.
Created by Ben Palmer 04 Oct 2017, 14:45:47 Updated by Sebastiaan Janssen 17 Oct 2017, 12:48:23
Hi,
We've recently detected a security issue in Umbraco, the problem is that there is an exploit in the CMS possibly allowing XSS attacks. This is possible from low-end users who could trick another CMS user into actions that they shouldn't perform.
To recreate the issue:
XSS TEST<script>alert('t')</script>Just a few supplementary notes:
2.This only appears to be when clicking 'Publish' in the action menu, normally publishing seems to be fine.
I can add something easily enough to strip out the malicious code but going forward it'd be great if we could fix this in Umbraco itself.
Thanks,
Ben
1 Attachments
Thanks, we were already working on a fix for this coming soon.
Great! Thanks for the update @sebastiaan
Fixed in https://github.com/umbraco/Umbraco-CMS/commit/fe2b86b681455ac975b294652064b2718d4e2ba2
Classified as medium priority. A malicious editor can perform a XSS attack on other users in the system provided the other user uses the right-click > Publish or the right-click > notifications menu items.
If you're really concerned about this on a older versions of Umbraco you can place the attached four files in ~/Umbraco/Dialogs/ - these are just the newest versions of notifications.aspx.cs and Publish.aspx.cs with the aspx files next to them pointing to the CodeFile instead of to CodeBehind. This means that the asp.cs file in the ~/Umbraco/Dialogs/ folder will be used instead of the CodeBehind built into the Umbraco dlls (built against Umbraco 7.0.0 and tested on v7.3.0 - should work in all versions though).
FYI: A different way to work around this issue on older versions of Umbraco (all the way down to 7.0.0) would be to have an ApplicationEventHandler (https://our.umbraco.org/documentation/Getting-Started/Code/Subscribing-To-Events/) that hooks into the Saving event. It should HtmlEncode the names of all nodes.
Something like this should do the trick (can be dropped into App_Code):
using Umbraco.Core; using Umbraco.Core.Services; using System.Web;
namespace U4_10497 { public class NodeNameSafeEventHandler: ApplicationEventHandler { protected override void ApplicationStarted(UmbracoApplicationBase umbracoApplication, ApplicationContext applicationContext) { ContentService.Saving += ContentService_Saving; MediaService.Saving += MediaService_Saving; }
private void MediaService_Saving(IMediaService sender, Umbraco.Core.Events.SaveEventArgs<Umbraco.Core.Models.IMedia> e)
{
foreach (var mediaItem in e.SavedEntities)
{
//first decode to prevent double encoding
var title = HttpContext.Current.Server.HtmlDecode(mediaItem.Name);
mediaItem.Name = HttpContext.Current.Server.HtmlEncode(title);
}
}
private void ContentService_Saving(IContentService sender, Umbraco.Core.Events.SaveEventArgs<Umbraco.Core.Models.IContent> e)
{
foreach (var content in e.SavedEntities)
{
//first decode to prevent double encoding
var title = HttpContext.Current.Server.HtmlDecode(content.Name);
content.Name = HttpContext.Current.Server.HtmlEncode(title);
}
}
}
}
Priority: Normal
Type: Bug
State: Fixed
Assignee:
Difficulty: Normal
Category: Security
Backwards Compatible: True
Fix Submitted:
Affected versions: 7.6.4
Due in version: 7.7.3, 7.6.10
Sprint:
Story Points: 0.5
Cycle: 4