Broken access control & LINQ injection in Progress Sitefinity

Project Description

Multiple vulnerabilities have been identified in Progress Sitefinity CMS version 10.1. Combining them, a vicious user can extract the password hash of any other user to aid in further attacks.


Vendor description

“Progress Sitefinity is a content management and marketing analytics platform designed to maximize the agility needed to succeed in today’s rapidly changing digital marketplace. It provides developers and IT teams the tools they need to support enterprise-level digital marketing, optimizing the customer journey by delivering seamless personalized experiences across different technologies and devices. Progress is a trusted source for the digital marketing innovation needed to create transformative customer experiences that fuel business success.”

Source: http://www.sitefinity.com/about

Business recommendation

SEC Consult recommends applying the provided patches by the vendor immediately.

Additionally, there are strong indications for further vulnerabilities and it is highly suggested to perform a thorough security review by security professionals to lower the risk of using this product.

Vulnerability overview/description

1) Broken Access Control

By using an unprotected function, a low privileged user can extract another user’s information such as email addresses, user ID, etc.

2) LINQ Injection

The identified LINQ injection enables an authenticated user to read sensitive data from the database. Specifically, an attacker can query the password or its hash character by character. Depending on the version of LINQ assembly in use, remote code execution could be possible as well.

Combining the two issues, a user could escalate her privileges.

Proof of concept

Detailed proof of concept URLs have been removed from this advisory.

1) Broken Access Control

A user with a low privileged role e.g. “BackendUsers” can obtain other users’ information including email, userid etc., which is not intended for a user with this role. The function disclosing the information is “GenericItemsService.svc” laid under path “Common”, which is in general not protected based on the role.

2) LINQ Injection

The aforementioned function “GenericItemsService.svc”, which can be invoked by any authenticated user regardless of her privilege, can be augmented by the parameter “filter”,  narrowing down the user list. However, this parameter does not undergo any sanitization hence properties like “password” can be queried character by character.

For instance, the request in example 1 [PoC removed] is asking the server whether any user has the password containing “2klv”. Upon a correct guess, the reply contains matching users’ attributes. By sending multiple such queries, an attacker can deduce the user’s password hash, salt, etc. In example 2 [PoC removed], function “Users.svc” can be used only by users with administrator privilege.

It could also be possible to extract the password in cleartext, if the default setting for membership format is changed.

Furthermore, depending on the third party assembly System.Linq, the issue could be abused to execute code on the server.

Vulnerable / tested versions

Progress Sitefinity 10.0 and 10.1 have been tested. Version 10.1 was the latest at the time the vulnerability was discovered. It is assumed earlier versions of this product are also vulnerable to the issues.

Vendor contact timeline

2017-08-22: Contacting vendor through email
2017-08-23: Contacting vendor’s security group
2017-08-23: Sending unencrypted advisory to Sitefinity Product Management as requested by vendor
2017-08-28: Vendor acknowledged the issues
2017-10-17: Asking for update. Vendor replies that a fix will be released within 2-3 weeks
2017-11-06: Vendor states the issues are fixed in version 10.1.6527.0
2017-11-14: Asking vendor where fixed version can be found
2017-11-14: Vendor releases version 10.2
2017-11-16: Coordinated release of security advisory

Solution

According to the vendor, all the identified issues have been fixed in version 10.1.6527.0 (internal build) and release 10.2.

https://www.sitefinity.com/product/version-notes/sitefinity-10.2
https://www.sitefinity.com/developer-network/forums/internal-builds/sitefinity-10.1-internal-builds#Hlb1FcE3622pWP8AAERlJg

Please update to the latest version immediately.

Workaround

None

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF M. Li / @2017

Project Details

  • TitleBroken access control & LINQ injection
  • ProductProgress Sitefinity
  • Vulnerable version10.0, 10.1
  • Fixed version>=10.1.6527.0 (internal build), 10.2
  • CVE number-
  • ImpactHigh
  • Homepagehttp://www.sitefinity.com | https://www.progress.com
  • Found2017-08-21
  • ByM. Li (Office Singapore) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back