Feedback
Did this article resolve your question/issue?

   

Article

Security Advisory for Resolving Security vulnerabilities March/April 2020

« Go Back

Information

 
TitleSecurity Advisory for Resolving Security vulnerabilities March/April 2020
URL NameSecurity-Advisory-for-Resolving-Security-vulnerabilities-March-April-2020
Article Number000142025
EnvironmentProduct: Sitefinity
Version: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x
OS: All supported OS versions
Database: All supported Microsoft SQL Server version
Question/Problem Description
A set of potential security vulnerabilities have been identified in Progress Sitefinity. Below you will find a list of bugfix rollup patches per version, which contain fixes for these vulnerabilities. If you have any questions in this regard, please contact Progress Technical Support.     
 

Directory Traversal (Workflow) vulnerability 

  • Affected Supported Versions: 7.0 - 12.2 

  • Severity: Critical 

Directory Traversal (File upload) vulnerability 

  • Affected Supported Versions: 7.0 - 10.1 

  • Severity: Critical 

XSS vulnerabilities in the Backend Administration 

  • Affected Supported Versions: 7.0 - 12.2 

  • Severity: Medium  

  • Only Users with Backend privileges can exploit this vulnerability 

  • Version 11.0 and up introduce the WebSecurity Module, which has a CSP header protection against XSS attacks. When the module is active, this attack vector is mitigated. 

Sitefinity Documentation, WebSecurity Module 

https://www.progress.com/documentation/sitefinity-cms/web-security-module 

Steps to Reproduce
Clarifying Information
Error Message
Defect Number
Enhancement Number
Cause
Resolution
For the highest security, we recommend an upgrade to the latest Progress Sitefinity CMS release.  
 

After applying the patch, make sure to apply encryption keys in the web.config as well, as included in this article 

 Blue Mockingbird and what it means for Sitefinity


 
The security patches are available for supported Progress Sitefinity versions listed below, with fixes as applicable:  
 

Sitefinity Version   

Patch Version***  

Directory Traversal (Workflow) vulnerability 

Directory Traversal (File upload) vulnerability 

XSS vulnerabilities in the Backend Administration 

12.2 

12.2.7230 

✓  

Not Vulnerable 

✓ 

12.1 

12.1.7131 

✓  

Not Vulnerable 

✓ 

12.0 

12.0.7037 

✓  

Not Vulnerable 

✓ 

11.2   

11.2.6937 

✓  

Not Vulnerable 

✓ 

11.1   

11.1.6831 

✓  

Not Vulnerable 

✓ 

11.0   

11.0.6741 

✓  

Not Vulnerable 

✓ 

10.2   

10.2.6653 

✓  

Not Vulnerable 

✓ 

10.1   

10.1.6544 

✓  

✓  

✓ 

10.0   

10.0.6433 

✓  

✓  

✓ 

9.2   

 9.2.6278 

✓  

✓  

✓ 

9.1   

 9.1.6187 

✓  

✓  

✓ 

9.0   

 9.0.6065 

✓  

✓  

✓ 

8.2   

 8.2.5975 

✓  

✓  

✓ 

8.1 

 8.1.5864 

✓  

✓  

✓ 

8.0 

 8.0.5774 

✓  

✓  

✓ 

7.3 

 7.3.5694 

✓  

✓  

✓ 

7.2 

 7.2.5354 

✓  

✓  

✓ 

7.1 

 7.1.5244 

✓  

✓  

✓ 

7.0 

 7.0.5144 

✓  

✓  

✓ 

***When upgrading, always make sure to upgrade to the latest available PATCH version as per your Sitefinity version. The last two numbers of the patch show the latest available number for the major version, e.g. 12.2.72XX 
 

Progress Article  How to update Sitefinity to hotfix, internal build or a patch

Progress Article  How to download patches and internal builds

Sitefinity Documentation, Upgrade procedure https://www.progress.com/documentation/sitefinity-cms/upgrade 

Upgrading Sitefinity CMS Whitepaper, https://www.progress.com/docs/default-source/sitefinity/sitefinity-best-practices-whitepaper.pdf 

Note: After upgrading to versions 12.1 and below, remove the following entry from the web.config file:

 <add verb="*" path="Telerik.Sitefinity.AsyncFileUploadHander,ashx" type="Telerik.Sitefinity.Workflow.AsyncFileUploadHander, Telerik.Sitefinity" />

 

Workaround
A workaround exists for Directory Traversal (Workflow) vulnerability, applicable for 11.1 or higher. 
Contact Progress Technical Support for more information.  
Notes

We would like to thank the following people for assisting with making the information regarding Directory Traversal (File upload) vulnerability public.

  • Markus Wulftange of Code White GmbH

Here’s the URL for the “Code White GmbH” link https://www.code-white.com/ 

  • Abdulrahman Nour, (Partner) RedForce.io
Last Modified Date11/20/2020 6:54 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.