Lucene search
K

Sitecore CMS 6.4 Open Redirect

🗓️ 30 Jul 2011 00:00:00Reported by Tom NeavesType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 17 Views

Sitecore CMS 6.4 Open Redirect vulnerability allows injection of content from a malicious site within the context of Sitecore, tricking users into believing it originated from a trusted site

Code
`Product Name: Sitecore CMS 6.4  
Vendor: http://www.sitecore.net  
Date: 28 July, 2011  
Author: [email protected] <[email protected]>  
Original URL: http://www.tomneaves.com/Sitecore_CMS_Open_URL_Redirect.txt  
Discovered: 30 June, 2011  
Disclosed: 28 July, 2011  
  
I. DESCRIPTION  
  
Sitecore is a CMS system used widely throughout the world by businesses, universities and banks. A vulnerability exists that  
allows an attacker to insert content from a malicious site within the context of Sitecore. A user could be tricked into thinking  
the content originated from the trusted site when infact it is from the attacker's.  
  
II. DETAILS  
  
An Open URL Redirection Vulnerability exists in Sitecore CMS 6.4 (and previous versions) which allows an arbitrary URL (content)  
to be injected into the page. The Sitecom titlebar window is still shown to the user however the content that is loaded comes from  
the user specified location. An attacker could provide content from a malicious site which the user would believe originated from  
the trusted site - particularly with the Sitecom titlebar window still present. This URL is accessible by unauthenticated users -  
therefore ideal for a phishing attack.  
  
---  
  
As an unauthenticated user, the "url" parameter can be manipulated in the GET request to an arbitrary value:  
  
http://victim.com/sitecore/shell/default.aspx?xmlcontrol=Application&url=http://www.attacker.com&ch=WindowChrome&ic=Applications%2f32x32%2fabout.png&he=About+Sitecore&ma=0&mi=0&re=0  
  
---  
  
Affected Versions: All versions of Sitecore up to and and including CMS 6.4 (Sitecore.NET 6.4.1 (rev. 110324)).  
  
III. VENDOR RESPONSE  
  
30 June, 2011 - Contacted vendor.  
30 June, 2011 - Vendor acknowledged and confirmed vulnerability (348199)  
27 July, 2011 - Vendor releases update (CMS 6.4.1 update-3)  
28 July, 2011 - Vulnerability publicly disclosed.  
  
IV. CREDIT  
  
Discovered by Tom Neaves (Verizon Business)  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation