Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Zac 223 posts 575 karma points
    Jun 06, 2017 @ 16:57
    Zac
    0

    Umbraco login screen leaking version details

    We have discovered that the Umbraco login page is disclosing version information:

    <script type="text/javascript">
        var Umbraco = {};
        Umbraco.Sys = {};
        Umbraco.Sys.ServerVariables = {
            "umbracoUrls": {
                "authenticationApiBaseUrl": "/umbraco/backoffice/UmbracoApi/Authentication/",
                "serverVarsJs": "/umbraco/ServerVariables?umb__rnd=ffffffffc26f354f",
                "externalLoginsUrl": "/umbraco/ExternalLogin"
            },
            "umbracoSettings": {
                "allowPasswordReset": true,
                "loginBackgroundImage": "assets/img/installer.jpg"
            },
            "application": {
                "applicationPath": "/",
                "version": "7.6.2",
                "cdf": "70744435"
            },
            "isDebuggingEnabled" : true
        };       
    </script>
    

    Is there a way to remove this? We would like to prevent attackers from determining vulnerabilities.

  • Matt Barlow | jacker.io 164 posts 740 karma points c-trib
    Jun 07, 2017 @ 11:39
    Matt Barlow | jacker.io
    2

    I would also question why this needs to be output on the login page.

    First thing you should do is restrict access to the login page, place it on a subdomain, or restrict by allowed IP.

    Anyway, investigated this, this script is output in:

    Umbraco\Views\Default.cshtml

    Which has a html helper method called:

    @Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath })) 
    

    Which is a part of the Umbraco.Web class library:

    So from the github repo:

    https://github.com/umbraco/Umbraco-CMS/blob/9badb35c054ecc91630b69b1b6753c78427cb4a6/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs

    You can see that it's getting the version number along with a load of other server variables and building script which it spits out onto the page.

    As a short term solution I tried commenting out the helper, and doing a string replace.

    @*@Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath }))*@
    
    @{ 
        var replaceVersionNo = "0";
        var umbracoVersion = "7.6.1";
        var backofficeScript = Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath })).ToString().Replace(umbracoVersion ,replaceVersionNo);
        @Html.Raw(backofficeScript)
    }
    

    Which replaced the version number with 0, obviously use the version number you have. This seems a bit hacky though, but does the job and I was still able to log in.

    <script type="text/javascript">
                    var Umbraco = {};
                    Umbraco.Sys = {};
                    Umbraco.Sys.ServerVariables = {
                        "umbracoUrls": {
                            "authenticationApiBaseUrl": "/umbraco/backoffice/UmbracoApi/Authentication/",
                            "serverVarsJs": "/umbraco/ServerVariables?umb__rnd=33cdb27a",
                            "externalLoginsUrl": "/umbraco/ExternalLogin"
                        },
                        "umbracoSettings": {
                            "allowPasswordReset": true,
                            "loginBackgroundImage": ""
                        },
                        "application": {
                            "applicationPath": "/",
                            "version": "0",
                            "cdf": "1963442378"
                        },
                        "isDebuggingEnabled" : true
                    };       
                </script>
    
  • Zac 223 posts 575 karma points
    Jun 07, 2017 @ 13:24
    Zac
    101

    Thanks a lot Matt, really helpful. Interesting idea with the hack. Looks like it should be trivial to do a Regex replace to make it a little more robust to version number changes.

    We may not be able to do an IP restriction so sticking the back office on a subdomain is probably the best thing we can do.

    I dug a little more and it looks like the version number was added for cache busting purposes after a version upgrade:

    https://github.com/umbraco/Umbraco-CMS/commit/be0bacd895314500fd5c0a8e4a88e35c4451cd05

  • Jeremy Coulson 61 posts 143 karma points
    Jul 20, 2018 @ 15:37
    Jeremy Coulson
    0

    Thanks for this answer! It's exactly what I needed.

    In case anyone comes by this thread in the future, here's one way to use regex to handle the version number:

    @{
        var replaceVersionNo = "0";
        string rexPattern = "\\d+\\.\\d+\\.*\\d*";
        System.Text.RegularExpressions.Regex rex = new System.Text.RegularExpressions.Regex(rexPattern);
        var backofficeScript = rex.Replace(Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath })).ToString(), replaceVersionNo);
        @Html.Raw(backofficeScript)
    }
    
  • Zac 223 posts 575 karma points
    Jul 18, 2017 @ 14:29
  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies