High vulnerable due to parameter "ufprt" in umbraco
I found one High vulnerable during the pen testing in parameter "ufprt", which is part of umbraco. so can umbraco team/anyone tell me what is "ufprt" and why we are facing issue by it and solution.
Please find description below--
The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.
Most web sites restrict user access to a specific portion of the file-system, typically called the "web document root" or "CGI root" directory. These directories contain the files intended for user access and the executable necessary to drive web application functionality. To access files or execute commands anywhere on the file-system, Path Traversal attacks will utilize the ability of special-characters sequences.
The most basic Path Traversal attack uses the "../" special-character sequence to alter the resource location requested in the URL. Although most popular web servers will prevent this technique from escaping the web document root, alternate encodings of the "../" sequence may help bypass the security filters. These method variations include valid and invalid Unicode-encoding ("..%u2216" or "..%c0%af") of the forward slash character, backslash characters ("..\") on Windows-based servers, URL encoded characters "%2e%2e%2f"), and double URL encoding ("..%255c") of the backslash character.
Even if the web server properly restricts Path Traversal attempts in the URL path, a web application itself may still be vulnerable due to improper handling of user-supplied input. This is a common problem of web applications that use template mechanisms or load static text from files. In variations of the attack, the original URL parameter value is substituted with the file name of one of the web application's dynamic scripts. Consequently, the results can reveal source code because the file is interpreted as text instead of an executable script. These techniques often employ additional special characters such as the dot (".") to reveal the listing of the current working directory, or "%00" NULL characters in order to bypass rudimentary file extension checks.
My understanding, following a brief read of the source code, is that it's a hidden value that's used by Umbraco Forms and Surface Controllers to route form submissions.
The value is not a simple route in a text string - it's an encrypted string, using the machine key. The string is then checked and can only route to controllers and known actions.
I'm no security expert so there could be a vulnerability in this code but if you're just reporting the result of an automated tool I'd more likely expect a false flag here.
If you have an example of how to inject something nasty into this variable I'd recommend you don't post it publicly but report it to the core team via [email protected]
Thanks for response Steve , Yes it is hidden field in umbraco and using random encrypt string .
it is outcome of pen testing.
I just want to know why this field creating vulnerable even in pen test. I am not sure how they do but once i know it i will post to [email protected].
Many times we receive reports about penetration testing showing false positives which this also seems to indicate. If however, you have steps to reproduce and exploit this behavior please let us know by replying to the email you've sent us and we will be happy to fix it up as soon as possible.
That said, there is no known exploit regarding this field.
To follow up on this, we cannot replicate the problem and given what the code actually does I don't see how it would be possible to traverse any directory/path or execute anything based on what data is in this field. All it is doing is being decrypted (which must be a validly encrypted string), then parsed (which must be the correct parsable format), then the tokens are put into the MVC route values dictionary, that's it.
The reporter of this issue could not provide us with valid steps to replicate the problem listed above. The initial report also stated this was a path traversal attack and later it was changed to a command injection attack. Both of which we cannot replicate or see how that could be possible.
There were steps provided to us to replicate the command injection attack but again, we could not replicate. The steps provided to us to replicate the issue used Python and Selenium, it is our understanding that these steps and the software used to perform them were actually the systems at fault for showing a false positive.
As with all security related issues, we take them serious and are more than happy to test, validate and fix them asap. Please ensure to submit any Umbraco security issues to [email protected] with details and replication instructions.
High vulnerable due to parameter "ufprt" in umbraco
I found one High vulnerable during the pen testing in parameter "ufprt", which is part of umbraco. so can umbraco team/anyone tell me what is "ufprt" and why we are facing issue by it and solution.
Please find description below--
The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.
Most web sites restrict user access to a specific portion of the file-system, typically called the "web document root" or "CGI root" directory. These directories contain the files intended for user access and the executable necessary to drive web application functionality. To access files or execute commands anywhere on the file-system, Path Traversal attacks will utilize the ability of special-characters sequences.
The most basic Path Traversal attack uses the "../" special-character sequence to alter the resource location requested in the URL. Although most popular web servers will prevent this technique from escaping the web document root, alternate encodings of the "../" sequence may help bypass the security filters. These method variations include valid and invalid Unicode-encoding ("..%u2216" or "..%c0%af") of the forward slash character, backslash characters ("..\") on Windows-based servers, URL encoded characters "%2e%2e%2f"), and double URL encoding ("..%255c") of the backslash character.
Even if the web server properly restricts Path Traversal attempts in the URL path, a web application itself may still be vulnerable due to improper handling of user-supplied input. This is a common problem of web applications that use template mechanisms or load static text from files. In variations of the attack, the original URL parameter value is substituted with the file name of one of the web application's dynamic scripts. Consequently, the results can reveal source code because the file is interpreted as text instead of an executable script. These techniques often employ additional special characters such as the dot (".") to reveal the listing of the current working directory, or "%00" NULL characters in order to bypass rudimentary file extension checks.
My understanding, following a brief read of the source code, is that it's a hidden value that's used by Umbraco Forms and Surface Controllers to route form submissions.
The value is not a simple route in a text string - it's an encrypted string, using the machine key. The string is then checked and can only route to controllers and known actions.
I'm no security expert so there could be a vulnerability in this code but if you're just reporting the result of an automated tool I'd more likely expect a false flag here.
If you have an example of how to inject something nasty into this variable I'd recommend you don't post it publicly but report it to the core team via [email protected]
HTH
Steve
Thanks for response Steve , Yes it is hidden field in umbraco and using random encrypt string .
it is outcome of pen testing.
I just want to know why this field creating vulnerable even in pen test. I am not sure how they do but once i know it i will post to [email protected].
right now it is becoming critical issue for me.
Thanks Neeraj Gupta
Hi,
This parameter is used to select a controller, and it's action. The source code is available here and you can see exactly how it is used:
https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/Mvc/RenderRouteHandler.cs#L120
Many times we receive reports about penetration testing showing false positives which this also seems to indicate. If however, you have steps to reproduce and exploit this behavior please let us know by replying to the email you've sent us and we will be happy to fix it up as soon as possible.
That said, there is no known exploit regarding this field.
To follow up on this, we cannot replicate the problem and given what the code actually does I don't see how it would be possible to traverse any directory/path or execute anything based on what data is in this field. All it is doing is being decrypted (which must be a validly encrypted string), then parsed (which must be the correct parsable format), then the tokens are put into the MVC route values dictionary, that's it.
The reporter of this issue could not provide us with valid steps to replicate the problem listed above. The initial report also stated this was a path traversal attack and later it was changed to a command injection attack. Both of which we cannot replicate or see how that could be possible.
There were steps provided to us to replicate the command injection attack but again, we could not replicate. The steps provided to us to replicate the issue used Python and Selenium, it is our understanding that these steps and the software used to perform them were actually the systems at fault for showing a false positive.
As with all security related issues, we take them serious and are more than happy to test, validate and fix them asap. Please ensure to submit any Umbraco security issues to [email protected] with details and replication instructions.
Thanks, Shannon
is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.