U4-11017 - Use of XmlSettings.TrustedXslt allows arbitrary code execution

Created by Markus Wulftange (Code White) 27 Feb 2018, 09:11:55 Updated by Sebastiaan Janssen 07 Mar 2018, 21:20:25

The use of the predefined [XmlSettings.TrustedXslt|https://msdn.microsoft.com/en-us/library/system.xml.xsl.xsltsettings.trustedxslt(v=vs.110).aspx] implies enabling the settings [EnableDocumentFunction|https://msdn.microsoft.com/en-us/library/system.xml.xsl.xsltsettings.enabledocumentfunction(v=vs.110).aspx] and [EnableScript|https://msdn.microsoft.com/en-us/library/system.xml.xsl.xsltsettings.enablescript(v=vs.110).aspx]. This can have severe consequences:

XSLT scripting should be enabled only if you require script support and you are working in a fully trusted environment. If you enable the {{document()}} function, you can restrict the resources that can be accessed by passing an [XmlSecureResolver|https://msdn.microsoft.com/en-us/library/system.xml.xmlsecureresolver(v=vs.110).aspx] object to the [Transform|https://msdn.microsoft.com/en-us/library/system.xml.xsl.xslcompiledtransform.transform(v=vs.110).aspx] method.

[XSLT scripting|https://docs.microsoft.com/en-us/dotnet/standard/data/xml/script-blocks-using-msxsl-script] allows the definition of custom functions within the style sheet document, that are compiled and executed during run time. This basically allows the execution of arbitrary code on the server.

In the current Umbraco release 7.8.1, there are two places where a user provided XSL style sheet gets processed with XmlSettings.TrustedXslt:

I suppose prior versions are also affected since {{git blame}} reaches all back to the first commit on GitHub.

Comments

Sebastiaan Janssen 27 Feb 2018, 12:17:29

Thanks! Both methods are only accessible to people logged into the backoffice of Umbraco and as such only available to trusted users.

If you deem this necessary you could harden your installation by removing both asmx file. We don't surface the creation and editing of XSLT files in the backoffice any more and this functionality will be removed in a future version.

Hope this helps.


Markus Wulftange (Code White) 02 Mar 2018, 09:06:51

Thanks for your reply.

Is there a particular reason why this issue is not visible to all users?


Sebastiaan Janssen 07 Mar 2018, 21:20:25

Ah yes, we prefer you responsibly disclose security issues so we get a chance to evaluate an fix them before everybody becomes aware of them and malicious actors take advantage of, what effectively is, a zero day.

So I immediately set this to private so we could investigate, forgot to set it back to public.

On responsible disclosure: https://en.wikipedia.org/wiki/Responsible_disclosure Our security guidelines: https://umbraco.com/security/


Priority: Normal

Type: Bug

State: Closed

Assignee:

Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.8.1

Due in version:

Sprint:

Story Points:

Cycle: