Umbraco is a free open source content management system (CMS) With over 730,000 active installations. AppCheck researchers reported two independent vulnerabilities, an application URL overwrite (CVE-2022-22690) and a persistent password reset problem, in a blog post published yesterday (January 18). (CVE-2022-22691).
Researchers warn that vulnerabilities in the CMS platform Umbraco could allow an attacker to gain control of a user’s account. The two security flaws, according to researchers, might be exploited to allow a hostile actor to gain control of an account.
When application code needs to construct a URL referring back to the site, Umbraco CMS employs a setting called ‘ApplicationUrl.’ When a user refreshes their password, for example, the program displays a password reset URL. If the application URL is not specifically defined in Umbraco versions less than 9.2.0, an attacker can change this value and point users to any URL they like.
“The attacker is able to change the URL users receive when resetting their password so that it points to the attacker’s server, when the user follows this link the reset token can be intercepted by the attacker resulting in account takeover” Explains the researchers. When a user resets their password, the second issue arises. The password reset token is created as a URL, which the user then clicks to configure a new password.
However, because this URL is created with the vulnerable ApplicationUrl and can thus be controlled by an attacker, the code below is executed, resulting in the attacker-controlled URL being stored in the Current.RuntimeState.ApplicationUrl variable when the user resets their password, according to researchers.
Umbraco published updates to assist protect users against exploitation after being notified of the security flaws. The cached ApplicationUrl is no longer used for password resets and user invites. If no UmbracoApplicationUrl is specified, the value is re-enumerated to utilise the hostname of the password-reset request.
A health check process now informs the administrator if the UmbracoApplicationUrl has not been configured and advises them to do so. None of the problems outlined in this essay can be exploited once they’ve been configured.
“The password reset process could be invoked on behalf of the user with a malicious hostname set,” the blog post explains.
“The URL to reset the password is poisoned as before, however the user receives the email unexpectedly which would lower the likelihood of a successful attack (CVE-2022-22691).”