Feedback
 
Did this article resolve your question/issue?

   

Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025

 


Article

Security Advisory for Resolving Security vulnerabilities, September, 2018

« Go Back

Information

 
Article Number000091658
EnvironmentProduct: Sitefinity
Version: 4.x, 5.x, 6.x, 7.x, 8.x, 9.x, 10.x, 11.0
OS: All supported OS versions
Database: All supported database server versions
Question/Problem Description

Security vulnerabilities were identified in Sitefinity CMS:  

  • XSS Vulnerability in Telerik.ReportViewer (CVE-2017-9140)

The issue is present in Sitefinity versions 4.2 - 11.0

Reflected cross-site scripting (XSS) in Telerik Reporting ASP.NET WebForms Report Viewer affects Sitefinity. The component is used by the eCommerce module to visualize backend reports where the Telerik.ReportViewer.axd handler allows third parties to inject arbitrary web script or HTML. 

By default, this handler is enabled in the web.config file. This is a potential vector for a phishing attack. 

   

  • Cross Site Scripting (XSS) in Identity Server  (CVE-2018-17053, CVE-2018-17054)

The issue is present in Sitefinity versions 10.0 - 11.0 

Missing sanitization of the login request parameters could lead to Reflected cross-site scripting (XSS). This is a potential vector for a phishing attack. 
 

  • Cross-site Scripting (XSS) Vulnerability in Service Stack (CVE-2018-17056)

The issue is presented in Sitefinity versions 10.2 - 11.0

Reflected cross-site scripting (XSS) vulnerability in ServiceStack affects Sitefinity. 

This is a potential vector for a phishing attack. 
 

  • Arbitrary file upload vulnerability  (CVE-2018-17055)

The issue is present in Sitefinity versions 4.0 - 11.0

In specific scenarios image upload allows the inclusion of malicious files. This is a potential vector for a phishing attack.  

 

  • Arbitrary Code Execution in Dynamic Linq Parser affects Sitefinity 

The issue is present in Sitefinity versions 4.0 - 11.0

Arbitrary Code Execution in Dynamic Linq Parser can potentially be exploited by privileged users. However, this is a potential threat only and not a proven attack vector. 

Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
Cause
Resolution

Resolution: 

For optimal security, upgrade to the latest version of Sitefinity 11.0 Hotfix or internal build.   

 

For lower versions, refer to the table below. 

The fixes are cumulative and include the fixes for all the above-mentioned vulnerabilities. 

Sitefinity versionHotfix versionInternal build 
11.0Hotfix 2 - 11.0.6702.011.0.6729.0 
10.2 Hotfix 4 - 10.2.6604.0 10.2.6641.0 
10.1Hotfix 6 - 10.1.6506.010.1.6536.0
10.0Hotfix 7 - 10.0.6415.010.0.6427.0
9.2Hotfix 6 - 9.2.6270.09.2.6271.0
9.1Hotfix 6 - 9.1.6180.09.1.6181.0
9.0Hotfix 6 - 9.0.6060.09.0.6061.0
8.2Hotfix 5 - 8.2.5970.08.2.5971.0
8.1Hotfix 6 - 8.1.5860.08.1.5861.0
8.0Hotfix 5 - 8.0.5770.08.0.5771.0
7.3Hotfix 6 - 7.3.5690.07.3.5691.0
7.2Hotfix 5 - 7.2.5350.07.2.5351.0
7.1Hotfix 3 - 7.1.5240.07.1.5241.0
7.0Hotfix 3 - 7.0.5140.07.0.5141.0
6.3Hotfix 2 - 6.3.5050.06.3.5051.0
6.2Hotfix 3 - 6.2.4930.0Not available
6.1Hotfix 2 - 6.1.4720.0Not available
6.0Hotfix 3 - 6.0.4230.0Not available
Workaround
The following information is only regarding XSS Vulnerability in Telerik.ReportViewer: 
Projects not using the e-commerce module can safely remove the handler from the web.config file. The rest should apply the hotfix.
Remove the following lines from the web.config:
<add verb="*" path="Telerik.ReportViewer.axd" type="Telerik.ReportViewer.WebForms.HttpHandler, Telerik.ReportViewer.WebForms" />
...
<add name="Telerik.ReportViewer.axd_*" verb="*" preCondition="integratedMode" path="Telerik.ReportViewer.axd" type="Telerik.ReportViewer.WebForms.HttpHandler, Telerik.ReportViewer.WebForms" />
Reference: XSS Vulnerability in Telerik.ReportViewer 

The provided workaround does not apply for the other 4 issues. 
Notes
000076924, How to update Sitefinity to hotfix, internal build or a patch

Thanks to Ali Hardudi, a Security Analyst at ERNW GmbH for identifying and disclosing XSS Vulnerability in Identity Server,  (XSS) Vulnerability in Service Stack and Arbitrary file upload vulnerability


CVEs:
CVE-2017-9140 
CVE-2018-17053
CVE-2018-17054
CVE-2018-17055
CVE-2018-17056
Attachment 
Last Modified Date9/26/2018 3:19 PM