CVE-2018-7669
CVSS7.8
发布时间 :2018-04-27 12:29:01
修订时间 :2018-06-06 13:51:48
NMP    

[原文]An issue was discovered in Sitecore Sitecore.NET 8.1 rev. 151207 Hotfix 141178-1 and above. The 'Log Viewer' application is vulnerable to a directory traversal attack, allowing an attacker to access arbitrary files from the host Operating System using a sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file= URI. Validation is performed to ensure that the text passed to the 'file' parameter correlates to the correct log file directory. This filter can be bypassed by including a valid log filename and then appending a traditional 'dot dot' style attack.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-22 [对路径名的限制不恰当(路径遍历)]

- CPE (受影响的平台与产品)

cpe:/a:sitecore:sitecore.net:8.1:update1
cpe:/a:sitecore:sitecore.net:8.1:update2
cpe:/a:sitecore:sitecore.net:8.1:update3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7669
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7669
(官方数据源) NVD

- 其它链接及资源

http://seclists.org/fulldisclosure/2018/Apr/47
(VENDOR_ADVISORY)  FULLDISC  20180424 Sitecore Directory Traversal Vulnerability
https://kb.sitecore.net/articles/356221
(VENDOR_ADVISORY)  CONFIRM  https://kb.sitecore.net/articles/356221

- 漏洞信息 (F147367)

Sitecore.NET 8.1 Directory Traversal (PacketStormID:F147367)
2018-04-26 00:00:00
Chris Moberly  
exploit,file inclusion
CVE-2018-7669
[点击下载]

Sitecore.NET version 8.1 suffers from a directory traversal vulnerability.

Sitecore Directory Traversal Vulnerability
CVE-2018-7669 (reserved)


An issue was discovered in Sitecore CMS that affects at least
'Sitecore.NET 8.1' rev. 151207 Hotfix 141178-1 and above. The 'Log Viewer'
application is vulnerable to a directory traversal attack, allowing an attacker
to access arbitrary files from the host Operating System using a
'sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file=' URI. Validation
is performed to ensure that the text passed to the 'file' parameter correlates
to the correct log file directory. This filter can be bypassed by including a
valid log filename and then appending a traditional 'dot dot' style attack.


[Steps to Reproduce]
The 'Log Viewer' application renders log files from the local filesystem inside
the web browser using a URL like the following:
http://<website>/sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file=


The following URL can be used to validate the vulnerability by accessing the
win.ini file on a Windows host (remove line breaks):
http://<website>/sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file=
c%3a%5cwebsites%5c<website>%5cdata%5clogs%5<valid log file>.txt\
..\..\..\..\..\windows\win.ini


The following URL can be used to access the application's configuration file
containing SQL login credentials (remove line breaks):
http://<website>/sitecore/shell/default.aspx?xmlcontrol=LogViewerDetails&file=
c%3a%5cwebsites%5c<website>%5cdata%5clogs%5c<valid log file>.txt\
..\..\..\Website\App_Config\ConnectionStrings.config


Both of the above URLs are dependent on the application's configuration and
must be modified to correct the <website> and <valid log file> portion.


[Additional Information]
Vendor confirmed receipt of the vulnerability and stated a fix was in progress.
Vendor acknowledgement: https://kb.sitecore.net/articles/356221


------------------------------------------


[Vulnerability Type]
Directory Traversal


------------------------------------------


[Vendor of Product]
Sitecore


------------------------------------------


[Affected Product Code Base]
CMS - 8.1 and up (earlier versions untested)


------------------------------------------


[Attack Type]
Remote


------------------------------------------


[Impact Information Disclosure]
true


------------------------------------------


[Has vendor confirmed or acknowledged the vulnerability?]
true


------------------------------------------


[Discoverer]
Chris Moberly @ The Missing Link Security


    
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站