We’ve noticed a Sitefinity exploit making the rounds on Twitter. Furthermore, a handful of our customers have discovered this vulnerability to their web site. I’m not going to post the full details of the exploit here. Basically, the exploit involves using an unauthenticated request to a specific administrative ASPX page.
However, this exploit only succeeds if…
- You are using an old (early 2009) version of Sitefinity. We fixed this issue a long time ago.
- You have removed or modified the default web.config file in the /Sitefinity/ directory, which will allow anonymous requests.
- You have the Application Pool set for FULL control over the entire Application (it should have read and WRITE only on App_Data, which then cannot be accessed with a regular browser)
- You are properly authenticated into the site, which will allow you to browse the dialog. (This isn’t really a problem)
Several months ago, Georgi Chokov recommended these and other security best practices in his Building a secured Sitefinity website blog post. For those who haven’t already followed these instructions, I strongly suggest you do so. I also recommend that you upgrade your web sites to a current version of Sitefinity.
If you have specific questions or need help, contact support.