Q4 2014 Security Update

  • Sitecore has determined that a specially-crafted URL may allow website visitors to download files under the web root of the site when the name of the file is already known to the visitor. Affected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing.

  • This issue is fixed in:

    • Sitecore XP 8.0 Initial Release (rev. 141212)
    • Sitecore CMS 7.5 Update-1 (rev. 150130)
    • Sitecore CMS 7.2 Update-3 (rev. 141226)
    1. Find the sitecore.version.xml file in the \Website\sitecore\shell folder.
    2. Open the file via Notepad or Internet Explorer.
    3. The combined value of the <major>, <minor>, <revision> fields is the Sitecore version.
  • Installation Instructions for Fix #424428:

    1. Download and copy the Sitecore.Support.424428 file to the \bin folder. Depending on the .NET version you are running, select the proper version for download:
    2. In the web.config file replace this line        
      <processor type="Sitecore.Pipelines.PreprocessRequest.IIS404Handler, Sitecore.Kernel" />
      with this line
      <processor type="Sitecore.Support.Pipelines.PreprocessRequest.IIS404Handler, Sitecore.Support.424428" />
    3. In the section <preprocessRequest help="Processors should derive from Sitecore.Pipelines.PreprocessRequest.PreprocessRequestProcessor"> 

      change this line 
      <param desc="Blocked extensions that do not stream files (comma separated)"></param>
      and add the "dll" extension    
      <param desc="Blocked extensions that do not stream files (comma separated)">dll</param>

Applies to:

CMS 6.0 - 7.2 Update-2, 7.5 Initial Release

February 10, 2015
February 22, 2017

Reference number:

424428

Keywords: 

  • CMS,
  • Security Vulnerabilities