what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Sitecore Staging Module Authentication Bypass

Sitecore Staging Module Authentication Bypass
Posted Dec 17, 2009
Authored by Lukas Weichselbaum | Site sec-consult.com

Sitecore Staging Module versions 5.4.0 revision 080625 and below suffer from authentication bypass and file manipulation vulnerabilities.

tags | exploit, vulnerability
SHA-256 | 0021244a4c6cebaaec10e5a1c3d431de7999b29903a312e90b39f88e0151ebb6

Sitecore Staging Module Authentication Bypass

Change Mirror Download
SEC Consult Security Advisory < 20091217-0 >
==========================================================================
title: Authentication bypass and file manipulation in
Sitecore Staging Module
products: Sitecore Staging Module
vulnerable version: Sitecore Staging Module <= 5.4.0 rev.080625
fixed version: Staging 5.4.0 rev.091111
impact: critical
homepage:
http://www.sitecore.net/en/Products/Sitecore-CMS.aspx
found: 2009-09-07
by: L. Weichselbaum / SEC Consult / www.sec-consult.com
==========================================================================

Vendor description:
-------------------
Sitecore CMS makes it effortless to create content and experience rich
websites that help you achieve your business goals such as increasing
sales and search engine visibility, while being straight-forward to
integrate and administer. Sitecore lets you deliver sites that are
highly scalable, robust and secure. Whether you're focused on
marketing, development and design, or providing site content, Sitecore
delivers for you.

The main purpose of the Sitecore Staging module is to update two or
more Sitecore installations across a firewall.

source: http://www.sitecore.net/en/Products.aspx
http://sdn.sitecore.net/upload/sdn5/sitecore6modules/staging/
staging-module-installation-and-configuration-guide.pdf


Vulnerability overview/description:
-----------------------------------
The Staging Webservice (normally found in "/sitecore modules/staging/
service/api.asmx") used for transmitting files between the Sitecore
Master and Slave Server is vulnerable to authentication bypass and
therefore
* files can be uploaded in arbitrary directories on the server
* files can be downloaded from arbitrary directories on the server
* directory listings of the whole server can be received
* the webserver cache can be deleted

An attacker is able to upload a shell, modify or delete sensitive data
or gain the whole source code of the application. Furthermore it is
possible to retrieve directory listings of directories of the whole
server and the webroot. All these actions are performed with the rights
of the webserver user. One tested server allowed us to compromise the
whole server by uploading a shell into the webroot.


Proof of concept:
-----------------
Authentication bypass and file manipulation
===========================================
To exploit this vulnerability, the example of "api.asmx?op=Upload" can
be used in a slightly modified form. The parameters "Username" and
"Password" can be set at random, but they must not be empty. The
parameter "File" contains the base64 encoded content of the file which
should be uploaded. For the parameters "append" and "isEncrypted" the
value "false" is most suitable. In "Destination" the location of the
file on the remote system can be specified. The following POST-request
creates a file named test.txt in C:\temp. It would also be possible to
upload a shell into the Webroot.

POST /sitecore%20modules/staging/service/api.asmx HTTP/1.1
Host: hostToExploit
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 599

<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
<soap12:Body>
<Upload xmlns="http://Sitecore/modules/Staging/API/">
[Soap-Stuff]
</Upload>
</soap12:Body>
</soap12:Envelope>

The same applies to the webservice operations "Download", "List" and
"Clear Cache".


Vulnerable versions:
--------------------
Sitecore Staging Module
* <= v5.4.0 rev.080625

Vendor contact timeline:
------------------------
2009-10-09: Contacting Sitecore.
2009-10-12: Reply from Sitecore.
2009-10-12: Preliminary advisory with full vulnerability details was
sent to Sitecore.
2009-12-02: Requested status of the planned security fixes.
2009-12-03: Reply from Sitecore, fixes are now in second iteration in
their QA department and they expect to release this before Christmas.
2009-12-03: Reply from Sitecore, vulnerabilities have been fixed and
new version has been released.
2009-12-16: Final version of the advisory sent to Sitecore and release
date was scheduled.
2009-12-16: Reply from Sitecore.
2009-12-17: Release of the advisory.


Solution:
---------
Update to Sitecore Staging Module v5.4.0 rev.091111

Workaround:
-----------
Delete the Staging Webservice (normally found in "/sitecore modules/
staging/service/api.asmx") to prevent arbitrary file manipulation.
The Sitecore Staging Module can thereby only use FTP for transmitting
files between the Sitecore Master and Slave with the Sitecore Staging
Module.

Advisory URL:
-------------
https://www.sec-consult.com/advisories_e.html#a63

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to https://www.sec-consult.com/academy_e.html

EOF L. Weichselbaum / @2009
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close