Sitecore Experience Manager, Platform, and Commerce Zip Slip Vulnerability Leading to Remote Code Execution

A Zip Slip vulnerability allowing path traversal and arbitrary file writes has been identified in Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC) versions 9.0 through 9.3 and 10.0 through 10.4. This vulnerability can be exploited by a remote, authenticated attacker who sends a crafted HTTP request to upload a ZIP archive containing path traversal sequences. The exploitation of this vulnerability could lead to unauthorized code execution on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected server.

Reproduction

To reproduce this vulnerability, authenticate as the 'ServicesAPI' user, which has a hardcoded password of 'b'. After logging in, navigate to the 'Upload2.aspx' page within the 'sitecore/shell/Applications/Dialogs/Upload/' directory. Upload a ZIP file containing a web shell named 'watchTowrPoc.asp', ensuring the ZIP entry includes path traversal sequences to bypass directory restrictions. During the upload process, select the option to unzip the file. Once the upload is complete, the web shell will be accessible via the Sitecore webroot.

Remediation

Users can update to Sitecore versions 10.4.1 or 9.3.3, where this vulnerability has been patched.