lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 28 Jul 2011 23:02:38 +0100
From: Tom Neaves <tom@...neaves.com>
To: bugtraq@...urityfocus.com,
 full-disclosure@...ts.grok.org.uk
Subject: Sitecore CMS 6.4 Open URL Redirect Vulnerability

Product Name: Sitecore CMS 6.4
Vendor: http://www.sitecore.net
Date: 28 July, 2011
Author: tom@...neaves.com <tom@...neaves.com>
Original URL: http://www.tomneaves.com/Sitecore_CMS_Open_URL_Redirect.txt
Discovered: 30 June, 2011
Disclosed: 28 July, 2011

I. DESCRIPTION

Sitecore is a CMS system used widely throughout the world by businesses, universities and banks.  A vulnerability exists that
allows an attacker to insert content from a malicious site within the context of Sitecore.  A user could be tricked into thinking
the content originated from the trusted site when infact it is from the attacker's.

II. DETAILS

An Open URL Redirection Vulnerability exists in Sitecore CMS 6.4 (and previous versions) which allows an arbitrary URL (content)
to be injected into the page.  The Sitecom titlebar window is still shown to the user however the content that is loaded comes from
the user specified location.  An attacker could provide content from a malicious site which the user would believe originated from
the trusted site - particularly with the Sitecom titlebar window still present.  This URL is accessible by unauthenticated users -
therefore ideal for a phishing attack.

---

As an unauthenticated user, the "url" parameter can be manipulated in the GET request to an arbitrary value:

http://victim.com/sitecore/shell/default.aspx?xmlcontrol=Application&url=http://www.attacker.com&ch=WindowChrome&ic=Applications%2f32x32%2fabout.png&he=About+Sitecore&ma=0&mi=0&re=0

---

Affected Versions: All versions of Sitecore up to and and including CMS 6.4 (Sitecore.NET 6.4.1 (rev. 110324)).

III. VENDOR RESPONSE

30 June, 2011 - Contacted vendor.
30 June, 2011 - Vendor acknowledged and confirmed vulnerability (348199)
27 July, 2011 - Vendor releases update (CMS 6.4.1 update-3)
28 July, 2011 - Vulnerability publicly disclosed.

IV. CREDIT

Discovered by Tom Neaves (Verizon Business)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists