During a pentesting engagement a couple of years ago I came across an undocumented security vulnerability in Umbraco, more specifically with the ClientDependency library.

Initially I thought it was this one (details on how to exploit this are here), and when the client updated their server configuration the vulnerability appeared initially to be closed. However, after digging a little deeper, there appeared to be another vulnerability as Umbraco have alerted only very recently here.

As this has only been published recently, I am not going to release the details of how to exploit this yet. However, if left unpatched the vulnerability is a Local File Inclusion (LFI) vulnerability that allows reading of any file that the web server user context has access to, much like this payload for the initial vulnerability:

file://localhost/c$/Windows/win.ini

Which of course would need to be encoded as:


http://localhost/DependencyHandler.axd?s=ZmlsZTovL2xvY2FsaG9zdC9jJC9XaW5kb3dzL3dpbi5pbmk=&t=CSS&cdv=1

Initially I was going to report this to Umbraco, however during my research I could not get the exploit to work if the server was patched as per the already mentioned original advisory. Therefore I believed the vulnerability was addressed by the initial patch but wondered if the original client had setup their Umbraco environment in a particular way that meant they could not remediate it by updating and had attempted to fix the initial vulnerability a different way.

We recently added a check for this vulnerability to our vulnerability scanner at Sec-1, and was surprised at how many client systems were flagging as vulnerable. This has enabled the vulnerability to be raised with Umbraco so this can be fixed, as one of our clients reported it to them when our scanner found such an issue on their website. This is when we suddenly realised that we had found a 0-day with Umbraco and it was not something fixed by the initial patch. I guess sometimes the vulnerability scanning of software out there in the wild is sometimes more effective than lab tests, where time and resource is always going to be limited.

I will release details of the exploit and how you can test for it at the beginning of May, giving time for the patch to be applied. Check back here or subscribe to the RSS feed for updates.

Update: Exploit details here.