Limit access to logviewer endpoints to people with access to the settings section

[nul800sebastiaan]

This fix is a result of a security scan where an issue was discovered: authenticated Umbraco backoffice users without access to the Settings section could use the API endpoint to read Umbraco logs.

The security firm Trustwave published a blog post about this on April 1st, 2021.

In our opinion this post exaggerates the risk. You can not elevate yourself to admin with the logviewer endpoints. This is speculation and depends on people writing dangerous custom code on purpose. That scenario is not unthinkable but highly unlikely.

Details about this issue

• The endpoint was only available to users logged into the Umbraco backoffice
  • not available for any website visitors
• Endpoint should only have been available for people to Umbraco backoffice users with access to the Settings section
  • but was also available for editors, translators, etc. anyone who could log into the backoffice
• To abuse this endpoint access, the user would need to know how to find it somehow and then need to know how to call the endpoint with the correct parameters
  • the risk of regular users knowing how to do this is quite low
  • you know exactly who is a user in the backoffice, presumably you haven’t invited someone in who has malicious intentions
• The information in the logs that Umbraco writes does NOT by default allow you to elevate privileges, this is only a theoretical issue
  • for example: if your custom implementation of Umbraco were to log backoffice user passwords into the logs then it would allow you to elevate privileges (needless to say: please do not ever log passwords in the logs!)
• We determined that the severity of this security issue was low
  • the security firm categorized it as medium because of the hypothetical risk of custom implementations putting too much information in the logs, which we believe would be a rare occurrence

About this fix

• The endpoint was created in Umbraco 8.0.0 - version 7 is NOT affected
• The endpoint was properly secured in version 8.10.0 with this pull request:
  • That means v8.0.0 through v8.9.3 were the affected versions

Dependabot - GitHub security response

Trustwave also created a CVE for this issue. This CVE changed on the 12th of April 2021 to list ALL previous versions of Umbraco to be vulnerable, which is incorrect, the issue only affects v8.0.0-v8.9.1.

Subsequently, GitHub picked up on this CVE. GitHub has a security scanner that analyses any vulnerable software and notifies people that depend on that software to update anything with a security issue. This service is best known as “dependabot”, their account that makes a PR to fix vulnerabilities.

Since the version range was listed incorrectly, everybody depending on any version of Umbraco (<8.10.0) got a notification from GitHub telling them to upgrade.

Security notifications from Umbraco

When we find security issues, we will send out notifications when they are serious enough, you can read up on this in our Trust Center:

When we have security-related announcements we believe you need to be explicitly aware of, we announce them in the following ways on the day we publish a patch or manual workaround (..)

From our assessment, this issue was not severe enough to send out notifications.

[clausjensen]

Looks good to me 👍