Writing patch for XSS scripting exploit in backend
If you save the following string
"<script>alert("Booh!")</script>" in the field "name" of a
document in the properties tab. This script will be executed every time
the document is displayed in the content navigation tree (umbraco
4.7.0).
This can be used to compromise logins of cms users if an hacker
manages to get this stored in the database (please note that packages or
custom components have access to this field and can present a potential
entry point for a hacker).
Considering I'm not getting any response on this from the community or Umbraco for this bug submit/report. Is there a way for me to create a plugin that checks this?
public class UmbracoEventHandlers : ApplicationBase
Which then calls the following initilizer:
public UmbracoEventHandlers() { Document.BeforeSave += new Document.SaveEventHandler(Document_BeforeSave); }
How everything ties in and works with Umbraco can be found in their documentation. But this should help anyone who wants to solve the same issue.
Please note that StripDangerousHTMLTags is a custom method that was available to me in this project (it removes, among other things, the < and > charachters).
And yes, I consider this indeed to be a bug as this isn't caught during rendering.
That's cool although I don't think it really solves the problem. What should happen is that the text to save is preserved but that when it is rendered out to the page it should be HTML encoded. This is what happens throughout the rest of the site. Ultimately, a user might want to have special characters appear in the text.
Are you sure that this isn't fixed in the latest versions? I haven't upgraded further than to 4.7.2 myself.
We recently had hacker attacks on a specific Umbraco installation and had to review access policies together with the web hosting people.
I'm not a specialist in the web security field, but I scanned around wiki and forum to find as much info as possible. To me the relevant info seemed scattered and unorganized. I find it strange that no one tried to compile it, and it should be clear which versions specific vulnerabilities and specific remedies apply to. On our Umbraco server we now run the backend login with SSL and a separate certificat, pluss we tightened folder accesses to the bare necessities. I hope.
@Ian: This was the most pragmatic solution for the case we had. I know this might not be ideal for everyone. I can recommend checking rest of the Umbraco events that are available as there are events that are triggered during rendering.
@Siw: I don't know if it is fixed in the latest release, you would need to ask Umbraco.
I just downloaded Umbraco from the website and installed a new instance. The problem actually seems worse! Now the node with the script tag for a name doesn't even seem to load.
I noticed that the admin area Html editor does a fairly good job of filtering out javascripts. (It misses "<a href="javas cript:alert('hello');">" though!) and it made me think that it would be cool to be able to mark Umbraco fields as 'allowing Html' or something and have it automatically validate input appropriately.
Why would anyone ever want the '<' character in a page name?
Writing patch for XSS scripting exploit in backend
If you save the following string "<script>alert("Booh!")</script>" in the field "name" of a document in the properties tab. This script will be executed every time the document is displayed in the content navigation tree (umbraco 4.7.0).
This can be used to compromise logins of cms users if an hacker manages to get this stored in the database (please note that packages or custom components have access to this field and can present a potential entry point for a hacker).
Considering I'm not getting any response on this from the community or Umbraco for this bug submit/report. Is there a way for me to create a plugin that checks this?
Hi Collin, did you ever get any answer or see another post on the same issue?
I just started a thread about this in 'General'. Its a bug isn't it?
I wrote a patch for this myself after finding documentation on Umbraco event handlers.
The patch itself is extremely simple:
void Document_BeforeSave(Document sender, umbraco.cms.businesslogic.SaveEventArgs e)
{
sender.Text = StringFunctions.StripDangerousHTMLTags(sender.Text);
}
I added this to the following class:
public class UmbracoEventHandlers : ApplicationBase
Which then calls the following initilizer:
public UmbracoEventHandlers()
{
Document.BeforeSave += new Document.SaveEventHandler(Document_BeforeSave);
}
How everything ties in and works with Umbraco can be found in their documentation. But this should help anyone who wants to solve the same issue.
Please note that StripDangerousHTMLTags is a custom method that was available to me in this project (it removes, among other things, the < and > charachters).
And yes, I consider this indeed to be a bug as this isn't caught during rendering.
That's cool although I don't think it really solves the problem. What should happen is that the text to save is preserved but that when it is rendered out to the page it should be HTML encoded. This is what happens throughout the rest of the site. Ultimately, a user might want to have special characters appear in the text.
Are you sure that this isn't fixed in the latest versions? I haven't upgraded further than to 4.7.2 myself.
We recently had hacker attacks on a specific Umbraco installation and had to review access policies together with the web hosting people.
I'm not a specialist in the web security field, but I scanned around wiki and forum to find as much info as possible. To me the relevant info seemed scattered and unorganized. I find it strange that no one tried to compile it, and it should be clear which versions specific vulnerabilities and specific remedies apply to. On our Umbraco server we now run the backend login with SSL and a separate certificat, pluss we tightened folder accesses to the bare necessities. I hope.
But I suspect these actions are not enough.
@Ian: This was the most pragmatic solution for the case we had. I know this might not be ideal for everyone. I can recommend checking rest of the Umbraco events that are available as there are events that are triggered during rendering.
@Siw: I don't know if it is fixed in the latest release, you would need to ask Umbraco.
I just downloaded Umbraco from the website and installed a new instance. The problem actually seems worse! Now the node with the script tag for a name doesn't even seem to load.
I noticed that the admin area Html editor does a fairly good job of filtering out javascripts. (It misses "<a href="javas cript:alert('hello');">" though!) and it made me think that it would be cool to be able to mark Umbraco fields as 'allowing Html' or something and have it automatically validate input appropriately.
Why would anyone ever want the '<' character in a page name?
is working on a reply...