Sitecore PowerShell Extensions Unrestricted File Upload Vulnerability Allowing Remote Code Execution

A vulnerability exists in Sitecore PowerShell Extensions, an add-on for Sitecore Experience Manager (XM) and Experience Platform (XP), in versions through 7.0. This vulnerability allows remote, authenticated attackers to upload arbitrary files to the server via crafted HTTP requests, leading to remote code execution. The issue arises from a lack of restrictions on file uploads, particularly in the PowerShell extension, which is commonly used alongside the Sitecore Experience Accelerator (SXA).

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Sitecore is hosted.

Reproduction

To reproduce this vulnerability, authenticate as a user with access to the Sitecore PowerShell Extensions. Navigate to the 'UploadFile' PowerShell upload endpoint. Upload a file with a '.zip' extension, ensuring the archive contains a web shell named 'watchTowrPoc.asp', placed within a directory structure that includes traversal sequences to bypass directory restrictions. Once the file is uploaded, it can be accessed through the web server, executing the contained code.

Remediation

Users can update to Sitecore versions after 7.0 to address this vulnerability.