# 0-day vulnerabilities at Sitecore PageDesigner

Sitecore is one of the leading enterprise-level content management systems built on [ASP.NET](http://ASP.NET), enabling web content editors and marketers to have full control over all aspects of their website from social integration and blog posts to advanced personalization, e-commerce and more. The Sitecore CMS is at the heart of all Sitecore-powered websites. Having taken advantage of the flexibility, scalability and security of the .NET framework it’s an enterprise favorite, used by leading global organizations such as Experian, Toshiba, Canon and Nestlé.

# 1\. Initial Vulnerability Discovery

By reviewing the Sitecore product's source code, it's easy to discover the following vulnerable code snippet in class `DownloadPage` from `/sitecore/shell/download.aspx`. It's intended to be safely designed by only using internal data (not from clients directly).

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1678102592489/4c7eb74c-b3c4-4696-aa8b-f838383d61ba.png align="left")

Malicious users can inject `../` into `text` parameter to download arbitrary files. From the above code snippet, there are 2 ways to pass value to the `text` parameter:

1. Direct input from `file` parameter. This operation requires Administrator users.
    
2. Retrieve through `FileHandle.getFilename` call. It requires `filename` to exist and is referenced by either function `UrlHandle` or class `ValidationResultPage`
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1678102767661/95054a89-a04a-457c-9d4f-5834e890fd4a.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1678102434475/878e06ff-9e11-4afc-9a2e-a6b3dcf90e57.png align="center")

Deserialize data without `Binder` class causes unsafe deserialization vulnerability. However, the input is also from `UrlHandle`. It's worth taking a deeper look at this one.

# 2\. Inspecting sitecore `UrlHandle`

To get a better understanding of `UrlHandle` functionalities, you can read more at: [https://sitecorejunkie.com/2012/11/09/get-a-handle-on-urlhandle/](https://sitecorejunkie.com/2012/11/09/get-a-handle-on-urlhandle/)

In summary, `UrlHandle` stores internal-use data, and it does not take input from users. Data is retrieved by its' id or name. Let's take an example:

1. Class `page1` save string "8888" to be used by other pages
    
    ```csharp
    UrlHandle urlHandle = new UrlHandle();
    urlHandle["id"] = "88888"
    ```
    
2. Then, the class `page2` will retrieve the string "8888" with the query `GET page2.aspx?hdl=id`
    
    ```csharp
    UrlHandle urlHandle = UrlHandle.Get(); // (with default handlename taken from request parameter "hdl"
    string id = urlHandle["id"];
    ```
    

Let's take a closer look at how this behavior works out!

Inspect the source code of `UrlHandle` class, observe that those `UrlHandle` values are stored in session. They are stored in a `string` variable (line 12), which will be "id=88888" by the above example.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1678103428196/fab4e7d9-e867-4095-8e1c-716cfaafa2ce.png align="center")

Follow the function `SetSessionValue`, observe the `urlString2` will be saved in `HttpContext.Session` as the following code snippet:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1678103575363/f0c26e9b-30ae-4712-8085-8682a05a9d2a.png align="left")

At this point, `key` is the handle name, and `value` is string with format "variable\_name=data", e.g. "id=8888"

# 3\. Leverage `HttpContext.Session` features to forge `UrlHandle` values

One problem with `HttpContext.Session` is that it is used in multiple code snippets, eventually leading to creating a forgery `UrlHandle` in the case of a function can save arbitrary strings. Sitecore does have a function like that!

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1678103884246/43a2ad66-9be3-4068-b1eb-2ed11c6c8c32.png align="left")

The variable `CurrentDevice` is saved to `HttpContext.Session` with key `SC_PAGEDESIGNER_CURRENTDEVICE` . The parameter `value` is passed from client input, as any normal user.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1678103970667/9bfdda87-8d21-43dc-af80-f1dbfad21c2e.png align="left")

With that traces, it is possible to exploit the 2 code vulnerable code snippets from the beginning, which are protected by preventing user input to the class `DownloadPage` class or `ValidationResultPage.`

# 4\. Final Exploitation on sitecore!

## Arbitrary file download on class `DownloadPage`

1. Send request to `/sitecore/shell/~/xaml/Sitecore.Shell.Applications.Layouts.PageDesigner.aspx` with parameters `&__PARAMETERS=pagedesigner:changedevice(device=file=../../web.config)` to set `SC_PAGEDESIGNER_CURRENTDEVICE`\=`file=../../web.config`
    
2. As an arbitrary user, access `/sitecore/shell/download.aspx?file=SC_PAGEDESIGNER_CURRENTDEVICE` to download the previous file set.
    

## Insecure Deserialization on class `ValidationResultPage`

1. Send request to `/sitecore/shell/~/xaml/Sitecore.Shell.Applications.Layouts.PageDesigner.aspx` with parameters `&__PARAMETERS=pagedesigner:changedevice(device=file=validators=BinaryFormatterPayload)`
    
2. As an arbitrary user, access `/sitecore/shell/download.aspx?file=SC_PAGEDESIGNER_CURRENTDEVICE` to trigger deserialization payload.
    

%[https://www.youtube.com/watch?v=9eqge6SsAs4] 

# 5\. At the end of the day

The above vulnerabilities are disclosed by Sitecore with the following vulnerabilities code:

* UrlHandle: 525192 (Medium)
    
* Download.aspx: 390129 (Medium)
    
* ValidationResult.aspx: 525345 (Medium)
    

They are already fixed in the release note: [https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/103/Sitecore%20Experience%20Platform%20103/Release%20Notes](https://dev.sitecore.net/Downloads/Sitecore%20Experience%20Platform/103/Sitecore%20Experience%20Platform%20103/Release%20Notes)

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1679236426259/a80e2de6-5783-45db-b60a-7cb719f71c93.png align="center")

It is worth noting that the described examples are just based on the basic functionalities of Sitecore. If there are custom functions coded by developers, it can cause more serious vulnerabilties.

Updated:

CVE assigned:

CVE-2023-27066: Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows authenticated remote attackers to download arbitrary files via Urlhandle.

CVE-2023-27067: Directory Traversal vulnerability in Site Core Experience Platform 10.2 and earlier allows remote attackers to download arbitrary files via crafted command to download.aspx

CVE-2023-27068: Deserialization of Untrusted Data in Site Core Experience Platform Affected: version 10.2 and earlier allows remote attackers to run arbitrary code via ValidationResult.aspx.
