Hi,
We've been developing Umbraco sites for a large multinational. All of the sites must go through a security review before they can be put live. There are several things that have come up in every security review for Umbraco sites. I'd like to update the Umbraco core to add some security settings that would enable all Umbraco users to lock down their sites. This would be my first contribution to the Umbraco project so I wanted to run my ideas by everyone to see if they are appropriate for core. I also thought it would be helpful to share the Umbraco specific results as these tests can be fairly expensive to have done.
FYI: I've blanked out the URLs, I'm not working on
xxx.com :)
The issues that have come up for every project in priority order are:
1. Cross-Site request forgery
The website administration area at
http://www.xxx.com/umbraco is vulnerable to cross-site request forgery (CSRF) on all pages that cause actions such as updates and deletes. A CSRF attack forces a logged-on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim.
Example is the following link, which is for updating content:
POST
http://www.xxx.com/umbraco/editContent.aspx?id=<<ID>>
Please see the following OWASP reference for more information:
http://www.owasp.org/index.php/Cross-Site_Request_Forgery
Impact: High
The integrity of information may be affected.
Likelihood: Low
The victim needs to be logged in and the attacker needs to have knowledge of the website. The attacker needs to get the victim to visit a website under the control of the attacker or that is vulnerable to cross-site scripting.
Recommendation
Restrict actions to POST methods and add a hidden key field to forms that validate requests. The hidden key should be unique to the page request and validated on post back. Please see the above OWASP link for more information.
The following links have recommendations for CSRF and
ASP.NET:
http://msdn.microsoft.com/en-us/library/ms972969.aspx#securitybarriers_topic2
2. No Account Lockout on Umbraco Administration Area
The Umbraco administration area has no account lockout following multiple login failures. This leaves the web application susceptible to brute force attacks.
http://www.xxx.com/umbraco/login.aspx
Impact: Medium
A successful brute force attack will lead to the exposure of website content and personal details.
Likelihood: Medium
An attacker will require knowledge of user names. Users will also need to use fairly weak passwords such as dictionary words or common names.
Recommendation
Lockout accounts for a short period of time, say 5 minutes, if the account has multiple login failures, such as 5 in a row. Assign a failure count to the user record rather than the user’s session.
3. The administration functionality is not separate from the front end website
The administration functionality for the website
http://www.xxx.com appears to be available on the same domain as the website, as shown:
http://www.xxx.com/umbraco
As a result, any scripts or cookies used by the main websites will also be valid for the administration system, although actual processing will depend on server-side and application configuration. This means that any web application security flaws affecting the website will also affect the admin system.
Impact: High
Any vulnerabilities affecting the main website content will also affect the administration system.
Likelihood: Low
An attacker would need to exploit an existing security flaw in the website to successfully attack the administration functionality.
Recommendation
Consider separating the website administration from the website presentation, ideally through the use of separate domains. Also consider restricting access to this functionality, so that only internal or trusted IP addresses are permitted.
4. Login page allows password auto-completion
Risk: Low
The website administration area at the following URL has a login page that allows password auto-completion on indicated field.
http://www.xxx.com/umbraco/login.aspx
passw
Impact: Medium
A user who can automatically login to this website is more vulnerable to exploitation through cross-site scripting or if they leave their computer unattended.
Likelihood: Low
An attacker can only exploit this through another vulnerability such as cross-site scripting or physical access to the user’s PC.
Recommendation
Add an attribute named 'autocomplete' to the password field on the login page that is set to ‘off’. Please note that this may not work in some browsers.
5. Website Administration Area Supports Concurrent Sessions
The website administration at
http://www.xxx.com/umbraco allows multiple simultaneous logins, using the same valid credentials, each being granted a separate session.
Impact: Medium
There is little accountability if logins are shared, as audited actions cannot be tied to an individual person. As there is no alerting or prevention of concurrent sessions then users may be unaware if their account has been compromised.
Likelihood: Low
Valid credentials would be required to generate a valid session.
Recommendation
Institute server side controls to prevent concurrent sessions. There are a number of mechanisms which can be used. For
ASP.NET consider use of the property "System.Web.Security.MembershipUser.IsOnline". Further information can be found at the following URL:
http://msdn.microsoft.com/en-us/library/system.web.security.membershipuser.isonline.aspx
6. The site includes the X-AspNetMVC-Version, X-AspNet-Version, X-Powered-By and Server HTTP headers
The staging IIS web server at the following URL shows the versions of IIS and components installed in its HTTP headers.
Impact: Low
The version information can be useful information to an attacker when searching for vulnerabilities. Unnecessary system information is exposed.
Likelihood: Medium
This information is presented in HTTP headers so a simple scan or banner grab would obtain this information.
Recommendation
Use URLScan to stop IIS from showing its version number in returned HTTP headers. URLScan is a free tool developed by Microsoft, designed to harden IIS and improve its security. More information about URLScan and its features can be found on the following link:
http://www.iis.net/download/urlscan
Also update global.asax and web.config to disable these headers