Umbraco CMS TemplateService remote code execution
Description
Umbraco CMS contains an authentication bypass vulnerability in the TemplateService SOAP web service component. The update() function fails to verify user authentication before processing requests, allowing unauthenticated attackers to modify CMS templates. By sending a specially crafted SOAP request, an attacker can inject malicious ASP.NET code into templates, which will then be executed by the server. This vulnerability is present even when the web services interface is not explicitly enabled in the configuration.
Remediation
Apply the official vendor patch immediately, which completely removes the vulnerable web services component from Umbraco CMS. This is the recommended and fully supported remediation path.
If immediate patching is not feasible, a temporary workaround involves adding authentication checks to the TemplateService. Add the following code at the beginning of the update() function in the TemplateService class:
if (!Authenticate())
{
throw new UnauthorizedAccessException("Authentication required");
}Note: This workaround is not officially supported by the vendor and should only be used as a temporary measure until the official patch can be applied. Thoroughly test this modification in a non-production environment to ensure it does not disrupt legitimate application functionality. Additionally, consider disabling or restricting network access to the TemplateService endpoint at the firewall or web server level until remediation is complete.