Cybersecurity researchers have disclosed three safety flaws within the well-liked Sitecore Expertise Platform (XP) that may very well be chained to realize pre-authenticated distant code execution.
Sitecore Expertise Platform is an enterprise-oriented software program that gives customers with instruments for content material administration, digital advertising and marketing, and analytics and experiences.
The record of vulnerabilities, that are but to be assigned CVE identifiers, is as follows –
- Use of hard-coded credentials
- Submit-authenticated distant code execution by way of path traversal
- Submit-authenticated distant code execution by way of Sitecore PowerShell Extension
watchTowr Labs researcher Piotr Bazydlo mentioned the default consumer account “sitecoreServicesAPI” has a single-character password that is hard-coded to “b.”
Whereas the consumer has no roles and permissions assigned in Sitecore, the assault floor administration agency discovered that the credentials may very well be alternately used in opposition to the “/sitecore/admin” API endpoint to register as “sitecoreServicesAPI” and procure a sound session cookie for the consumer.
“Whereas we won’t entry ‘Sitecore Functions’ (the place a good portion of performance is outlined) because the ServicesAPI has no roles assigned, we will nonetheless: (1) Entry plenty of APIs, and (2) Cross by IIS authorization guidelines and straight entry some endpoints,” Bazydlo defined.
This, in flip, opens the door to distant code execution by way of a zip slip vulnerability that makes it attainable to add a specifically crafted ZIP file by way of the “/sitecore/shell/Functions/Dialogs/Add/Upload2.aspx” endpoint and causes the archive’s contents (e.g., an online shell) to be written to the webroot listing.
The whole sequence of actions is listed beneath –
- Authenticate because the “sitecoreServicesAPI” consumer
- Entry Upload2.aspx
- Add a ZIP file, which incorporates an online shell referred to as //../
- When prompted, verify the Unzip choice and full the add
- Entry the net shell
The third vulnerability has to do with an unrestricted file add flaw in PowerShell Extensions that will also be exploited because the “sitecoreServicesAPI” consumer to realize distant code execution by the “/sitecorepercent20modules/Shell/PowerShell/UploadFile/PowerShellUploadFile2.aspx” endpoint.
watchTowr identified that the hard-coded password originates from throughout the Sitecore installer that imports a pre-configured consumer database with the ServicesAPI password set to “b.” This variation, the corporate mentioned, went into impact beginning model 10.1.
This additionally signifies that the exploit chain solely works if customers have put in Sitecore utilizing installers for variations ≥ 10.1. Customers are probably not impacted in the event that they have been beforehand working a model previous to 10.1 after which upgraded to a more moderen susceptible model, assuming the outdated database is being migrated, and never the database embedded throughout the set up package deal.
With beforehand disclosed flaws in Sitecore XP coming underneath lively exploitation within the wild (CVE-2019-9874 and CVE-2019-9875), it is important that customers apply the most recent patches, if not already, to safeguard in opposition to potential cyber threats.
“By default, current variations of Sitecore shipped with a consumer that had a hard-coded password of ‘b.’ It is 2025, and we won’t imagine we nonetheless must say this, however that is very dangerous,” Benjamin Harris, CEO and founding father of watchTowr, informed The Hacker Information in an announcement.
“Sitecore is deployed throughout 1000’s of environments, together with banks, airways, and international enterprises – so the blast radius right here is very large. And no, this is not theoretical: we have run the total chain, end-to-end. In the event you’re working Sitecore, it would not worsen than this – rotate creds and patch instantly earlier than attackers inevitably reverse engineer the repair.”
