Security Bulletin SC2016-002-136135

  • We are reporting an Important vulnerability (SC2016-002-136135), for which there is a hotfix available.

    We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the hotfix to all Sitecore systems.

    If you would like to receive notifications about new Security Bulletins, please subscribe to the Security Bulletins RSS Feed.

  • Versions affected

    Vulnerability SC2016-002-136135 affects all versions of Sitecore 7.2, 7.5, 8.0, 8.1 and 8.2.

    This vulnerability impacts all Sitecore systems running the above mentioned versions. This includes CMS-only and xDB enabled modes, single-instance and multi-instance environments, and all Sitecore server roles (content delivery, content management, reporting, processing, publishing, etc). It also impacts Sitecore-based intranet sites.

    A hotfix is available for all affected versions.

    Versions not affected

    Currently supported Sitecore CMS versions 6.3—7.1 are not vulnerable. Sitecore xDB Cloud environments are not affected as appropriate fix has been implemented.

    The vulnerability has been fixed in Sitecore XP 8.2 Update-2.

    1. Download the ZIP archive with the hotfix from here.
    2. Extract the contents of the archive.
    3. On every Sitecore instance perform the following actions:
      • Copy the contents of the extracted archive to the /Website folder.
      • Edit the web.config file and locate this line within the '/configuration/system.web/httpHandlers' node:
        <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Resources.IconRequestHandler, Sitecore.Kernel" />
        Replace the line above with this one:
        <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.136135" />

        Note: you may not have the 'httpHandlers' node in your web.config file. It is used only if the IIS application pool of your Sitecore website is running in the Classic mode. Therefore, if there is no 'httpHandlers' node, you don't need to create it.

      • Edit the web.config file and locate this line within the '/configuration/system.webServer/handlers' node:
        <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Resources.IconRequestHandler, Sitecore.Kernel" name="Sitecore.IconRequestHandler" />
        Replace the line above with this one:
        <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.136135" name="Sitecore.Support.IconRequestHandler" />
    • 11-Sep-19: a link to Security Bulletins RSS Feed was added.
    • 20-Sep-19: hotfix download link was updated. The hotfix itself was not changed.

Applies to:

CMS 7.2 Initial Release - 7.2 Update-6, 7.5 Initial Release - 7.5 Update-2, 8.1 Initial Release - 8.1 Update-3, 8.2 Initial Release - 8.2 Update-1

December 05, 2016
September 20, 2019

Reference number:

136135

Keywords: 

  • Security Vulnerabilities