Headline
CVE-2023-26262: GitHub - istern/CVE-2023-26262
An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Sitecore user, a unrestricted language file upload vulnerability exists the can lead to direct code execution on the content management (CM) server.
Sitecore 10.3 Authenticated file upload vulnerability
Author: Thomas Stern
Date: 26/01-2023
Summary
It is possible via the import languages functionality to upload and arbitrary file. This file could be a webshell that would allow for execution of code on the server.
Step to reproduce
For testing this vulnerability a Sitecore 10.3 instance was spawned on a local machine through docker. This vulnerability haven’t been tested on previous versions of Sitecore, but earlier version might be vulnerable for the same technique.
Environment information
Host: Windows 11 Running Docker for Desktop Sitecore 10.3
1. Login to sitecore
Since this is an authenticated vulnerability a valid set of credentials is required. For this testing instance admin/b was used
2. Navigate to toolbox
The toolbox is found under the control panel for Sitecore
3. Choose - Import Languages
Now choose language import
4. Import - temp folder
Start by choosing Browse
Next select the temp folder 'this will also be the destination for the shell.
5. Upload webshell
The code used for testing is shown a simple webshell from downloaded from https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx note a small modification was made to run powershell instead of the default cmd.
Choose upload button and select your shell and press next
You shell should now be uploaded
6. Execute Commands
Started by navigating to the uploaded shell “https://sitename/temp/shell.aspx” With the shell uploaded it is now possible to have full code execution on the system
Remediation
The code for uploading the language files should validate files being uploaded and only allow for executable files like aspx,exe and more. Also language files should only be uploaded to a directory that doesn’t allow code execution. A way of doing this is by addaing a block rule to the web.config like the below. Note this will block all request to the two files.
<rule name="BlockFileUpload" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" /> <conditions logicalGrouping="MatchAny"> <add input="{URL}" pattern="*sitecore/shell/Applications/Files/FileBrowser.aspx" /> <add input="{URL}" pattern="*sitecore/shell/Applications/Dialogs/Upload/Upload2.aspx" /> </conditions> <action type="CustomResponse" statusCode="404" statusReason="File or directory not found." statusDescription="The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable." /> </rule>