Sitefinity 3.x Shell Upload Vulnerability

Sitefinity 3.x Shell Upload Vulnerability

April 24, 2013 0 Comments

The content you're reading is getting on in years
This post is on the older side and its content may be out of date.
Be sure to visit our blogs homepage for our latest news, updates and information.

We’ve noticed a Sitefinity exploit making the rounds on Twitter.  Furthermore, a handful of our customers have discovered this vulnerability to their web site.  I’m not going to post the full details of the exploit here.  Basically, the exploit involves using an unauthenticated request to a specific administrative ASPX page.

However, this exploit only succeeds if…

  1. You are using an old (early 2009) version of Sitefinity.  We fixed this issue a long time ago. 
  2. You have removed or modified the default web.config file in the /Sitefinity/ directory, which will allow anonymous requests.
  3. You have the Application Pool set for FULL control over the entire Application (it should have read and WRITE only on App_Data, which then cannot be accessed with a regular browser)
  4. You are properly authenticated into the site, which will allow you to browse the dialog.   (This isn’t really a problem)

Several months ago, Georgi Chokov recommended these and other security best practices in his Building a secured Sitefinity website blog post.  For those who haven’t already followed these instructions, I strongly suggest you do so.  I also recommend that you upgrade your web sites to a current version of Sitefinity.

If you have specific questions or need help, contact support.


The Progress Team

View all posts from The Progress Team on the Progress blog. Connect with us about all things application development and deployment, data integration and digital business.

Comments are disabled in preview mode.
Latest Stories in
Your Inbox
More From Progress
The New Mobile Development Landscape
Download Whitepaper
IDC Spotlight Sitefinity Thumbnail
Choosing the Right Digital Experience Platform to Improve Business Outcomes
Download Whitepaper
The Fastest Way to Build Mobile Apps With Cloud Data
Watch Webinar