| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <464F030F-31DF-46F0-B857-07FC3A530977@tomneaves.com> Date: Thu, 28 Jul 2011 23:02:38 +0100 From: Tom Neaves <tom@...neaves.com> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Sitecore CMS 6.4 Open URL Redirect Vulnerability Product Name: Sitecore CMS 6.4 Vendor: http://www.sitecore.net Date: 28 July, 2011 Author: tom@...neaves.com <tom@...neaves.com> Original URL: http://www.tomneaves.com/Sitecore_CMS_Open_URL_Redirect.txt Discovered: 30 June, 2011 Disclosed: 28 July, 2011 I. DESCRIPTION Sitecore is a CMS system used widely throughout the world by businesses, universities and banks. A vulnerability exists that allows an attacker to insert content from a malicious site within the context of Sitecore. A user could be tricked into thinking the content originated from the trusted site when infact it is from the attacker's. II. DETAILS An Open URL Redirection Vulnerability exists in Sitecore CMS 6.4 (and previous versions) which allows an arbitrary URL (content) to be injected into the page. The Sitecom titlebar window is still shown to the user however the content that is loaded comes from the user specified location. An attacker could provide content from a malicious site which the user would believe originated from the trusted site - particularly with the Sitecom titlebar window still present. This URL is accessible by unauthenticated users - therefore ideal for a phishing attack. --- As an unauthenticated user, the "url" parameter can be manipulated in the GET request to an arbitrary value: http://victim.com/sitecore/shell/default.aspx?xmlcontrol=Application&url=http://www.attacker.com&ch=WindowChrome&ic=Applications%2f32x32%2fabout.png&he=About+Sitecore&ma=0&mi=0&re=0 --- Affected Versions: All versions of Sitecore up to and and including CMS 6.4 (Sitecore.NET 6.4.1 (rev. 110324)). III. VENDOR RESPONSE 30 June, 2011 - Contacted vendor. 30 June, 2011 - Vendor acknowledged and confirmed vulnerability (348199) 27 July, 2011 - Vendor releases update (CMS 6.4.1 update-3) 28 July, 2011 - Vulnerability publicly disclosed. IV. CREDIT Discovered by Tom Neaves (Verizon Business) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists