.png)
1 month ago
27 BOOK THIS SPACE FOR AD
ARTICLE ADHello Curios, welcome to the another blog in the series of Reverse Engineering Sitecore Vulnerabilities. This time we’ll discuss the multiple vulnerabilities affecting the CIA triangle (Confidentiality, Integrity and Availability).
In this blog we’ll cover how anyone can read files from the Webroot, including license and config files.
As we know in Sitecore we’ve “api/sitecore/{controller}/{action}” which provides route mapping for the controllers.
If we look into the security bulletin from Sitecore, they’ve mentioned to disable the DeviceSimulator config, and remove the Sitecore.Mvc.DeviceSimulator.dll
Now in mentioned dll, there is controlled called SimulatorController in which there was an action called Preview as shown in the picture below -
Sitecore.Mvc.DeviceSimulator is mainly used for device simulation under the experience editor. more info here.
eventually this Preview action was calling Server.Execute method which leads us to LFI (local file inclusion).
As Server.Execute does not have any Controlling parameters and it does redirects us to any file.
Now that we know the vulnerability, exploitation of this vulnerability is very simple, for POC we can try to access the Sitecore license file.
hit the URL just by replacing the host name with your target -
https://<host-name>/api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview?previewPath=/App_Data/license.xmlmoreover we can also download the backup files from the server.
I’ve automated the process of identifying the vulnerable sites with this vulnerability and I’m surprised that there are still many sites which are vulnerable to this.. even big giants!
We can apply the compatible hotfix provided by Sitecore from here.
That’s it in this part of series, Stay tuned for more of it!
References -
Sitecore Security BulletinAssetNote article on the multiple flaws in Sitecore
Bengali (Bangladesh) · 
English (United States) ·