Directory Traversal vulnerability issues in Sitecore PageDesigner

A fix for Sitecore 10.2 and earlier versions

Sitecore recently disclosed a vulnerability issue related to Directory Traversal in Sitecore Experience Platform. This vulnerability enables authenticated remote attackers to download arbitrary files by exploiting Urlhandle or download.aspx.

It is worth to note that it has been identified this vulnerability exists only in Sitecore version 10.2 and earlier, and it could potentially allow remote attackers to execute malicious actions.

CVE - CVE-2023-27066

Arbitrary File Download Vulnerability in DownloadPage

1. Send request to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Layouts.PageDesigner.aspx with parameters &__PARAMETERS=pagedesigner:changedevice(device=file=../../web.config) to set SC_PAGEDESIGNER_CURRENTDEVICE\=file=../../web.config
2. As an arbitrary user, access /sitecore/shell/download.aspx?file=SC_PAGEDESIGNER_CURRENTDEVICE to download the previous file set.

Being aware of this security concern and taking appropriate measures to mitigate the risk is of utmost importance for users.

However, it’s worth noting that Sitecore has not provided a fix for this issue in versions 10.2 or earlier. The good news is that this vulnerability has been automatically addressed in Sitecore 10.3, where the default settings have been updated to fix the issue.

Release Notes

However, upgrading to address this issue may not be a viable option for everyone due to various reasons.

Consequently, we reached out to Sitecore support seeking a fix for the problem, as our client’s Sitecore instance is running on version 9.1. Unfortunately, Sitecore informed us that since version 9.1 is now in the Extended Support phase, no official fixes for these bugs are planned.

Instead, they suggested considering an upgrade to the mainstream version of Sitecore, which would grant access to the latest functionalities and the ability to request hotfixes (pre-releases).

After several levels of discussion, we finally received a workaround from Sitecore support to tackle the issue effectively. Below is the workaround provided by Sitecore support,

The PageDesigner is an entry point to exploit all the vulnerabilities described in the blog post. You can just remove the 
/sitecore/shell/Applications/Layouts/PageDesigner/PageDesigner.xaml.xml file. This file is responsible for the deprecated layout editor (edit aspx markup) thus removing it does not affect any useful functionality.

Hence that resolves the issue in Sitecore 9.1 version. For anyone using a 9.x version, attempting the same approach may help resolve the issue.

For 10.x versions, they have two options. They can reach out to Sitecore support to obtain the necessary hotfixes, or they can proceed with the previously mentioned solution, considering that the page designer editor is now considered a deprecated feature. Choosing either option would depend on their specific requirements and preferences.

Below are the references which have some more detailed information about the issue,

• https://blogs.night-wolf.io/0-day-vulnerabilities-at-sitecore-pagedesigner
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27066

Happy learning!! Happy sharing!!