Sitefinity 3.x Shell Upload Vulnerability

Sitefinity 3.x Shell Upload Vulnerability

Posted on April 24, 2013 0 Comments

The content you're reading is getting on in years
This post is on the older side and its content may be out of date.
Be sure to visit our blogs homepage for our latest news, updates and information.

We’ve noticed a Sitefinity exploit making the rounds on Twitter.  Furthermore, a handful of our customers have discovered this vulnerability to their web site.  I’m not going to post the full details of the exploit here.  Basically, the exploit involves using an unauthenticated request to a specific administrative ASPX page.

However, this exploit only succeeds if…

  1. You are using an old (early 2009) version of Sitefinity.  We fixed this issue a long time ago. 
  2. You have removed or modified the default web.config file in the /Sitefinity/ directory, which will allow anonymous requests.
  3. You have the Application Pool set for FULL control over the entire Application (it should have read and WRITE only on App_Data, which then cannot be accessed with a regular browser)
  4. You are properly authenticated into the site, which will allow you to browse the dialog.   (This isn’t really a problem)


Several months ago, Georgi Chokov recommended these and other security best practices in his Building a secured Sitefinity website blog post.  For those who haven’t already followed these instructions, I strongly suggest you do so.  I also recommend that you upgrade your web sites to a current version of Sitefinity.

If you have specific questions or need help, contact support.

progress-logo

The Progress Team

View all posts from The Progress Team on the Progress blog. Connect with us about all things application development and deployment, data integration and digital business.

Comments

Comments are disabled in preview mode.
Topics

Sitefinity Training and Certification Now Available.

Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.

Learn More
Latest Stories
in Your Inbox

Subscribe to get all the news, info and tutorials you need to build better business apps and sites

Loading animation