Sitefinity 3.x Shell Upload Vulnerability

Sitefinity 3.x Shell Upload Vulnerability

April 24, 2013 0 Comments

The content you're reading is getting on in years
This post is on the older side and its content may be out of date.
Be sure to visit our blogs homepage for our latest news, updates and information.

We’ve noticed a Sitefinity exploit making the rounds on Twitter.  Furthermore, a handful of our customers have discovered this vulnerability to their web site.  I’m not going to post the full details of the exploit here.  Basically, the exploit involves using an unauthenticated request to a specific administrative ASPX page.

However, this exploit only succeeds if…

  1. You are using an old (early 2009) version of Sitefinity.  We fixed this issue a long time ago. 
  2. You have removed or modified the default web.config file in the /Sitefinity/ directory, which will allow anonymous requests.
  3. You have the Application Pool set for FULL control over the entire Application (it should have read and WRITE only on App_Data, which then cannot be accessed with a regular browser)
  4. You are properly authenticated into the site, which will allow you to browse the dialog.   (This isn’t really a problem)


Several months ago, Georgi Chokov recommended these and other security best practices in his Building a secured Sitefinity website blog post.  For those who haven’t already followed these instructions, I strongly suggest you do so.  I also recommend that you upgrade your web sites to a current version of Sitefinity.

If you have specific questions or need help, contact support.

progress-logo

The Progress Team

View all posts from The Progress Team on the Progress blog. Connect with us about all things application development and deployment, data integration and digital business.

Comments
Comments are disabled in preview mode.
Topics
 
 
Latest Stories in
Your Inbox
Subscribe
More From Progress
New_Mobile_Dev_Ebook_Progress_Website_Thumbail
The New Mobile Development Landscape
Download Whitepaper
 
IDC Spotlight Sitefinity Thumbnail
Choosing the Right Digital Experience Platform to Improve Business Outcomes
Download Whitepaper
 
TheFastestWayToBuildMobileAppsArtboard-2
The Fastest Way to Build Mobile Apps With Cloud Data
Watch Webinar