Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Zac 222 posts 572 karma points
    Jun 06, 2017 @ 16:57
    Zac
    0

    Umbraco login screen leaking version details

    We have discovered that the Umbraco login page is disclosing version information:

    <script type="text/javascript">
        var Umbraco = {};
        Umbraco.Sys = {};
        Umbraco.Sys.ServerVariables = {
            "umbracoUrls": {
                "authenticationApiBaseUrl": "/umbraco/backoffice/UmbracoApi/Authentication/",
                "serverVarsJs": "/umbraco/ServerVariables?umb__rnd=ffffffffc26f354f",
                "externalLoginsUrl": "/umbraco/ExternalLogin"
            },
            "umbracoSettings": {
                "allowPasswordReset": true,
                "loginBackgroundImage": "assets/img/installer.jpg"
            },
            "application": {
                "applicationPath": "/",
                "version": "7.6.2",
                "cdf": "70744435"
            },
            "isDebuggingEnabled" : true
        };       
    </script>
    

    Is there a way to remove this? We would like to prevent attackers from determining vulnerabilities.

  • Matt Barlow 105 posts 261 karma points
    Jun 07, 2017 @ 11:39
    Matt Barlow
    2

    I would also question why this needs to be output on the login page.

    First thing you should do is restrict access to the login page, place it on a subdomain, or restrict by allowed IP.

    Anyway, investigated this, this script is output in:

    Umbraco\Views\Default.cshtml

    Which has a html helper method called:

    @Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath })) 
    

    Which is a part of the Umbraco.Web class library:

    So from the github repo:

    https://github.com/umbraco/Umbraco-CMS/blob/9badb35c054ecc91630b69b1b6753c78427cb4a6/src/Umbraco.Web/HtmlHelperBackOfficeExtensions.cs

    You can see that it's getting the version number along with a load of other server variables and building script which it spits out onto the page.

    As a short term solution I tried commenting out the helper, and doing a string replace.

    @*@Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath }))*@
    
    @{ 
        var replaceVersionNo = "0";
        var umbracoVersion = "7.6.1";
        var backofficeScript = Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath })).ToString().Replace(umbracoVersion ,replaceVersionNo);
        @Html.Raw(backofficeScript)
    }
    

    Which replaced the version number with 0, obviously use the version number you have. This seems a bit hacky though, but does the job and I was still able to log in.

    <script type="text/javascript">
                    var Umbraco = {};
                    Umbraco.Sys = {};
                    Umbraco.Sys.ServerVariables = {
                        "umbracoUrls": {
                            "authenticationApiBaseUrl": "/umbraco/backoffice/UmbracoApi/Authentication/",
                            "serverVarsJs": "/umbraco/ServerVariables?umb__rnd=33cdb27a",
                            "externalLoginsUrl": "/umbraco/ExternalLogin"
                        },
                        "umbracoSettings": {
                            "allowPasswordReset": true,
                            "loginBackgroundImage": ""
                        },
                        "application": {
                            "applicationPath": "/",
                            "version": "0",
                            "cdf": "1963442378"
                        },
                        "isDebuggingEnabled" : true
                    };       
                </script>
    
  • Zac 222 posts 572 karma points
    Jun 07, 2017 @ 13:24
    Zac
    101

    Thanks a lot Matt, really helpful. Interesting idea with the hack. Looks like it should be trivial to do a Regex replace to make it a little more robust to version number changes.

    We may not be able to do an IP restriction so sticking the back office on a subdomain is probably the best thing we can do.

    I dug a little more and it looks like the version number was added for cache busting purposes after a version upgrade:

    https://github.com/umbraco/Umbraco-CMS/commit/be0bacd895314500fd5c0a8e4a88e35c4451cd05

  • Jeremy Coulson 35 posts 116 karma points
    Jul 20, 2018 @ 15:37
    Jeremy Coulson
    0

    Thanks for this answer! It's exactly what I needed.

    In case anyone comes by this thread in the future, here's one way to use regex to handle the version number:

    @{
        var replaceVersionNo = "0";
        string rexPattern = "\\d+\\.\\d+\\.*\\d*";
        System.Text.RegularExpressions.Regex rex = new System.Text.RegularExpressions.Regex(rexPattern);
        var backofficeScript = rex.Replace(Html.BareMinimumServerVariablesScript(Url, Url.Action("ExternalLogin", "BackOffice", new { area = ViewBag.UmbracoPath })).ToString(), replaceVersionNo);
        @Html.Raw(backofficeScript)
    }
    
  • Zac 222 posts 572 karma points
    Jul 18, 2017 @ 14:29
Please Sign in or register to post replies

Write your reply to:

Draft