More in this section
Blogs RSS feed

Sitefinity 3.x Shell Upload Vulnerability

by User Not Found

We’ve noticed a Sitefinity exploit making the rounds on Twitter.  Furthermore, a handful of our customers have discovered this vulnerability to their web site.  I’m not going to post the full details of the exploit here.  Basically, the exploit involves using an unauthenticated request to a specific administrative ASPX page.

However, this exploit only succeeds if…

  1. You are using an old (early 2009) version of Sitefinity.  We fixed this issue a long time ago. 
  2. You have removed or modified the default web.config file in the /Sitefinity/ directory, which will allow anonymous requests.
  3. You have the Application Pool set for FULL control over the entire Application (it should have read and WRITE only on App_Data, which then cannot be accessed with a regular browser)
  4. You are properly authenticated into the site, which will allow you to browse the dialog.   (This isn’t really a problem)

Several months ago, Georgi Chokov recommended these and other security best practices in his Building a secured Sitefinity website blog post.  For those who haven’t already followed these instructions, I strongly suggest you do so.  I also recommend that you upgrade your web sites to a current version of Sitefinity.

If you have specific questions or need help, contact support.


Leave a comment
  1. Matt Nov 18, 2010
    We followed the instructions in the email you sent and it throws an error.
    AccessModule.cs' is denied.

    Any ideas?
  2. Georgi Nov 18, 2010
    Hi Matt,

    Please make sure that the worker process has access to the new file. Currently, the error states that the new file cannot be accessed by Asp.Net.
  3. Mark Nov 18, 2010
    Running "Sitefinity 3.1.1458.2:1" and the provided AccessModule.cs does not work with that version.  Will you send me one that will work with that version?

  4. Georgi Nov 19, 2010
    Hello Mark,

    Sitefinity 3.1 is safe. You do not need a patch for that version.
  5. Jason Nov 23, 2010
    All you really need to do is put a file called web.config in the /Sitefinity/UserControls/Dialogs folder of your site with this as the contents:

    <?xml version="1.0"?>
        <location path=".">
                    <allow roles="administrators"/>
                    <deny users="*"/>

    This will block unauthenticated users AND anyone not in the administrators role from getting to this glaring hole. Roles is a comma separated list of the roles that you have in your Sitefinity site.

    You could also replace
    <allow roles="administrators"/>
    <allow users="?"/>

    to let anyone that is logged in have access. We didn't get any email about this BTW. What else under /Sitefinity is unprotected?
  6. disgruntled Feb 10, 2011
    wtf!  it's still open in 3.7!  Just uploaded a file right on to our server thru /sitefinity directory w/o authenticating. 

    Leave a comment