Giters

istern / CVE-2023-26262

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Sitecore 10.3 Authenticated file upload vulnerability

Author: Thomas Stern

Date: 26/01-2023

Summary

It is possible via the import languages functionality to upload and arbitrary file. This file could be a webshell that would allow for execution of code on the server.

Step to reproduce

For testing this vulnerability a Sitecore 10.3 instance was spawned on a local machine through docker. This vulnerability haven't been tested on previous versions of Sitecore, but earlier version might be vulnerable for the same technique.

Environment information

Host: Windows 11 Running Docker for Desktop Sitecore 10.3

Sitecore Information

1. Login to sitecore

Since this is an authenticated vulnerability a valid set of credentials is required. For this testing instance admin/b was used

2. Navigate to toolbox

The toolbox is found under the control panel for Sitecore

Sitecore Control Panel

3. Choose - Import Languages

Now choose language import

Language Import

4. Import - temp folder

Start by choosing Browse

Upload part l

Next select the temp folder 'this will also be the destination for the shell.

Upload part 2 choose destination folder

5. Upload webshell

The code used for testing is shown a simple webshell from downloaded from https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx note a small modification was made to run powershell instead of the default cmd.

Choose upload button and select your shell and press next

Upload Shell

You shell should now be uploaded

Done Uploading Shell

6. Execute Commands

Started by navigating to the uploaded shell "https://sitename/temp/shell.aspx" With the shell uploaded it is now possible to have full code execution on the system

Code execution

Remediation

The code for uploading the language files should validate files being uploaded and only allow for executable files like aspx,exe and more. Also language files should only be uploaded to a directory that doesn't allow code execution. A way of doing this is by addaing a block rule to the web.config like the below. Note this will block all request to the two files.

<rule name="BlockFileUpload" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
    <match url="*" />
    <conditions logicalGrouping="MatchAny">
        <add input="{URL}" pattern="*sitecore/shell/Applications/Files/FileBrowser.aspx" />
        <add input="{URL}" pattern="*sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx" />
    </conditions>
    <action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." />
</rule>

About