Q2 2014 Security Update

Expand all | Collapse all

  • Description

    Collapse

    Sitecore has identified a security issue that affects various versions of Sitecore CMS, Sitecore Intranet Portal and Sitecore Foundry (see table below).

    Sitecore Corp. would like to give credit to Dan Erdahl for the discovery of the security vulnerbility addressed in this fix and for his cooperation. The fix does not introduce new functionality or change expected system behavior.

    After installing the fix, Sitecore recommends changing any system passwords stored in your configuration files or other files under the web root.

  • Prerequisites

    Collapse

    If you are running a Sitecore release prior to 7.2.0 Update-2 (rev. 140526), you should install the Q1 2014 Security Update in case it is applicable to your CMS version (see the versions list in the corresponding article).

  • Affected Sitecore Products and Versions

    Collapse

    Sitecore CMS

    7.2 rev.140314 (Update-1)
    7.2 rev.140228 (Initial Release)
    7.1 rev.140324 (Update-2)
    7.1 rev.140130 (Update-1)
    7.1 rev.130926 (Initial Release)
    7.0 rev.140408 (Update-5)
    7.0 rev.140120 (Update-4)
    7.0 rev.131127 (Update-3)
    7.0 rev.130918 (Update-2)
    7.0 rev.130810 (Update-1)
    7.0 rev.130424 (Initial Release)
    6.6.0 rev.140410 (Update-8)
    6.6.0 rev.131211 (Update-7)
    6.6.0 rev.130529 (Service Pack-1)
    6.6.0 rev.130404 (Update-5)
    6.6.0 rev.130214 (Update-4)
    6.6.0 rev.130111 (Update-3)
    6.6.0 rev.121203 (Update-2)
    6.6.0 rev.121015 (Update-1)
    6.6.0 rev.120918 (Initial Release)
    6.6.0 rev.120622 (Technical Preview)
    6.5.0 rev.121009 (Service Pack-2)
    6.5.0 rev.120706 (Service Pack-1)
    6.5.0 rev.120427 (Update-4)
    6.5.0 rev.111230 (Update-3)
    6.5.0 rev.111123 (Update-2)
    6.5.0 rev.110818 (Update-1)
    6.5.0 rev.110602 (Initial Release)
    6.4.1 rev.120113 (Update-6)
    6.4.1 rev.111003 (Update-5)
    6.4.1 rev.110928 (Update-4)
    6.4.1 rev.110720 (Update-3)
    6.4.1 rev.110621 (Update-2)
    6.4.1 rev.110324 (Update-1)
    6.4.1 rev.101221 (Initial Release)
    6.4.0 rev.101124 (Update-1)
    6.4.0 rev.101012 (Initial Release)

    Sitecore Intranet Portal

    4.1.0 rev. 131010 (Initial Release)
    4.0.0 rev. 130523 (Initial Release)

    Sitecore Foundry

    4.1.0 rev. 130621 (Initial Release
    4.0.0 rev. 121129 (Initial Release)
    4.0.0 rev. 120711 (Technical Preview)

  • How To Find Your Sitecore Version

    Collapse
    1. Find the Sitecore.Kernel dll in the "[site root]\bin" folder. 
    2. Right click on the dll and select "Properties". 
    3. Open the "Details" tab. 
    4. The value of the "Product version" field is the Sitecore version.

  • Solution

    Collapse

    The fix may be implemented through a Scripted Installation or a Manual Installation.

  • Solution - Scripted Installation

    Collapse

    If you already installed the Q1 2014 Security Update, you do not need to apply any changes. Just verify that the changes described in the "Solution - Manual Installation" section below are applied to your Sitecore solution.

    Note: The Scripted Installation will fail on any Sitecore installation where the /sitecore folder has been removed or is not accessible for the account used to run the script due to file system security restrictions. Please complete the Manual Installation instructions for each installation of Sitecore where the Scripted Installation fails.

    For customers and partners who are familiar with executing PowerShell scripts, Sitecore provides a Scripted Installation option. Executing this script will produce the same end result as implementing the manual instructions.

    If you are not familiar with executing PowerShell scripts or if this not permitted in your server environment, Sitecore recommends following the Manual Installation instructions that follow this section.

    To install, download and unzip the Sitecore.FixIt.409770.zip. Follow the README.FIRST.txt instructions in the extracted archive for required installation steps.

    The script should be run on all servers where Sitecore is installed. Alternatively, the script should be run on lower environments and promoted to production environments through your preferred release process.

    The script provides pre-verification, installation and post-verification steps. Pre-verification checks to see which fixes apply to your version and verifies that affected files are in the expected locations. Installation makes file changes to various files in the Sitecore web root and automatically creates backup copies of the files prior to introducing modifications. Post-verification validates that changes were made as expected.

    Note: When you download the .zip archive, Windows may block the archive to help protect your computer. To unblock the archive, right-click the file, select Properties and click the "Unblock" button on the General tab.

    Note: Due to the underlying .NET Framework APIs used in the Scripted Installation, minor changes in spacing may be made to xml-based configuration files.

  • solution - Manual Installation

    Collapse

    If you already installed the Q1 2014 Security Update, you do not need to apply any changes. Just verify that the changes described below are applied to your Sitecore solution.

    Sitecore provides Manual Installation instructions for customers who are unfamiliar with executing PowerShell scripts or who lack required permissions to execute the Scripted Installation. These instructions may also be required if the Scripted Installation cannot be successfully completed due to specifics of the environment configuration or reports unexpected configuration during the pre-verification step.

    Installation Instructions For Fix #400290:

    1. Copy the Sitecore.Support.400290.dll file into the '/bin' folder of the Sitecore instance.
    2. In the "Web.config" file:

    The Sitecore icon handler node in the "/configuration/system.webServer/handlers section should be configured with the following values:
    <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.400290" name="Sitecore.Support.400290.IconRequestHandler"/>
    The Sitecore icon handler node in the "/configuration/system.web/httpHandlers" section should be configured with the following values:
    <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.400290"/>

Applies to:

CMS 6.4 - 7.1 Update-2, 7.2 - 7.2 Update-1

August 22, 2014
December 16, 2015

Reference number:

400290, 409770

Keywords: 

  • CMS,
  • Security Vulnerabilities