Hi! This is the ezmlm program. I'm managing the
bugtraq@xxxxxxxxxxxxxxxxx mailing list.
I'm working for my owner, who can be reached
at bugtraq-owner@xxxxxxxxxxxxxxxxx.
Messages to you from the bugtraq mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.
If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the bugtraq mailing list,
without further notice.
I've kept a list of which messages from the bugtraq mailing list have
bounced from your address.
Copies of these messages may be in the archive.
To retrieve a set of messages 123-145 (a maximum of 100 per request),
send an empty message to:
<bugtraq-get.123_145@xxxxxxxxxxxxxxxxx>
To receive a subject and author list for the last 100 or so messages,
send an empty message to:
<bugtraq-index@xxxxxxxxxxxxxxxxx>
Here are the message numbers:
47393
47394
47395
47396
47397
47398
47399
47400
47401
--- Enclosed is a copy of the bounce message I received.
Return-Path: <>
Received: (qmail 30770 invoked from network); 29 Jul 2011 14:49:43 -0000
Received: from unknown (HELO mail.securityfocus.com) (192.168.120.35)
by lists.securityfocus.com with SMTP; 29 Jul 2011 14:49:43 -0000
Received: (qmail 8842 invoked by alias); 29 Jul 2011 14:49:33 -0000
Received: (qmail 19916 invoked from network); 29 Jul 2011 14:48:18 -0000
Received: from unknown (HELO sf01smtp2.securityfocus.com) (192.168.120.34)
by mail.securityfocus.com with SMTP; 29 Jul 2011 14:48:18 -0000
Received: by sf01smtp2.securityfocus.com (Postfix)
id AC00280B06; Fri, 29 Jul 2011 07:59:34 -0700 (PDT)
Date: Fri, 29 Jul 2011 07:59:34 -0700 (PDT)
From: MAILER-DAEMON@xxxxxxxxxxxxxxxxx (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: bugtraq-return-47393-list-bugtraq23=spinics.net@xxxxxxxxxxxxxxxxx
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="91D1980998.1311951557/sf01smtp2.securityfocus.com"
Message-Id: <20110729145934.AC00280B06@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
This is a MIME-encapsulated message.
--91D1980998.1311951557/sf01smtp2.securityfocus.com
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii
This is the mail system at host sf01smtp2.securityfocus.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<list-bugtraq23@xxxxxxxxxxx>: host mail.spinics.net[68.183.106.108] said: 550
5.7.1 Rejected: 143.127.139.113 listed at zen.spamhaus.org (in reply to
MAIL FROM command)
--91D1980998.1311951557/sf01smtp2.securityfocus.com
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; sf01smtp2.securityfocus.com
X-Postfix-Queue-ID: 91D1980998
X-Postfix-Sender: rfc822; bugtraq-return-47393@xxxxxxxxxxxxxxxxx
Arrival-Date: Fri, 29 Jul 2011 07:36:23 -0700 (PDT)
Final-Recipient: rfc822; list-bugtraq23@xxxxxxxxxxx
Action: failed
Status: 5.7.1
Remote-MTA: dns; mail.spinics.net
Diagnostic-Code: smtp; 550 5.7.1 Rejected: 143.127.139.113 listed at
zen.spamhaus.org
--91D1980998.1311951557/sf01smtp2.securityfocus.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from lists.securityfocus.com (lists.securityfocus.com [192.168.120.36])
by sf01smtp2.securityfocus.com (Postfix) with QMQP
id 91D1980998; Fri, 29 Jul 2011 07:36:23 -0700 (PDT)
Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
Received: (qmail 23430 invoked from network); 28 Jul 2011 21:52:54 -0000
X-AuditID: c0a87820-b7c78ae000007561-66-4e31dc774180
From: Tom Neaves <tom@xxxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: Sitecore CMS 6.4 Open URL Redirect Vulnerability
Date: Thu, 28 Jul 2011 23:02:38 +0100
Message-Id: <464F030F-31DF-46F0-B857-07FC3A530977@xxxxxxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Mime-Version: 1.0 (Apple Message framework v1244.3)
X-Mailer: Apple Mail (2.1244.3)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrKIsWRWlGSWpSXmKPExsUSY1A/T7fijqGfwZsubYvmC+kOjB73z9xi
D2CM4rJJSc3JLEst0rdL4MpYfPw7U8E5/oorf64xNzD+5Oli5OSQEDCR2PRnGguELSZx4d56
ti5GLg4hgWOMEsf/dLNAOAuZJD5+Xc4IUsUmoCLxs2M/O4jNLKAlcePfSyYIW1ti2cLXzCC2
sIClxK3zd8DiLAKqEpcefwDr5RVwkNix4wIbiC0i4CRxrgFkGwdQ3Fji9T8miCPkJRa3fGac
wMg7C8mGWUg2zELoWMDIvIpRsjjNwDC3wkivODW5tCizpDItP7m0WC85P3cTIzB8DqyoUNjB
eOGi7iFGAQ5GJR7erCJDPyHWxLLiytxDjJIcTEqivH03gEJ8SfkplRmJxRnxRaU5qcWHGCU4
mJVEeFMWA+V4UxIrq1KL8mFSMhwcShK8KbeBUoJFqempFWmZOcAogUkzcXCCtPMAtTeB1PAW
FyTmFmemQ+RPMepytM86dpRRiCUvPy9VSpy3GqRIAKQoozQPbg4sdi8xykoJ8zIyMDAI8RSk
FuVmlqDKv2IUB3pMmNcdZApPZl4J3KZXQEcwAR3Bygd2REkiQkqqgXH14Z5H80L3BvLeLg85
fI25e36aYevV68wnNR7Pe8bkIjI9bJPhUg2Zoxsc/sTFh7M88ZKVvlb8g2nLL6np7+1WTLiT
a1QippB5bsbONxUWxScr3h69/nu9Fdfv3fVifQ9u3Zz5OvSGt9n/Euam9Dl9Hie0tnmnBWTu
0bHsal3Tc+LCbLs7gbeVWIozEg21mIuKEwFLH7hL2AIAAA==
Product Name: Sitecore CMS 6.4
Vendor: http://www.sitecore.net
Date: 28 July, 2011
Author: tom@xxxxxxxxxxxxx <tom@xxxxxxxxxxxxx>
Original URL: =
http://www.tomneaves.com/Sitecore_CMS_Open_URL_Redirect.txt
Discovered: 30 June, 2011
Disclosed: 28 July, 2011
I. DESCRIPTION
Sitecore is a CMS system used widely throughout the world by businesses, =
universities and banks. A vulnerability exists that
allows an attacker to insert content from a malicious site within the =
context of Sitecore. A user could be tricked into thinking
the content originated from the trusted site when infact it is from the =
attacker's.
II. DETAILS
An Open URL Redirection Vulnerability exists in Sitecore CMS 6.4 (and =
previous versions) which allows an arbitrary URL (content)
to be injected into the page. The Sitecom titlebar window is still =
shown to the user however the content that is loaded comes from
the user specified location. An attacker could provide content from a =
malicious site which the user would believe originated from
the trusted site - particularly with the Sitecom titlebar window still =
present. This URL is accessible by unauthenticated users -
therefore ideal for a phishing attack.
---
As an unauthenticated user, the "url" parameter can be manipulated in =
the GET request to an arbitrary value:
=
http://victim.com/sitecore/shell/default.aspx?xmlcontrol=3DApplication&url=
=3Dhttp://www.attacker.com&ch=3DWindowChrome&ic=3DApplications%2f32x32%2fa=
bout.png&he=3DAbout+Sitecore&ma=3D0&mi=3D0&re=3D0
---
Affected Versions: All versions of Sitecore up to and and including CMS =
6.4 (Sitecore.NET 6.4.1 (rev. 110324)).
III. VENDOR RESPONSE
30 June, 2011 - Contacted vendor.
30 June, 2011 - Vendor acknowledged and confirmed vulnerability (348199)
27 July, 2011 - Vendor releases update (CMS 6.4.1 update-3)
28 July, 2011 - Vulnerability publicly disclosed.
IV. CREDIT
Discovered by Tom Neaves (Verizon Business)=
--91D1980998.1311951557/sf01smtp2.securityfocus.com--
