Sitecore has identified a security issue that affects various versions of Sitecore CMS, Sitecore Intranet Portal and Sitecore Foundry (see table below).
Sitecore Corp. would like to give credit to Dan Erdahl for the discovery of the security vulnerbility addressed in this fix and for his cooperation. The fix does not introduce new functionality or change expected system behavior.
After installing the fix, Sitecore recommends changing any system passwords stored in your configuration files or other files under the web root.
If you are running a Sitecore release prior to 7.2.0 Update-2 (rev. 140526), you should install the Q1 2014 Security Update in case it is applicable to your CMS version (see the versions list in the corresponding article).
| 7.2 rev.140314 (Update-1) |
| 7.2 rev.140228 (Initial Release) |
| 7.1 rev.140324 (Update-2) |
| 7.1 rev.140130 (Update-1) |
| 7.1 rev.130926 (Initial Release) |
| 7.0 rev.140408 (Update-5) |
| 7.0 rev.140120 (Update-4) |
| 7.0 rev.131127 (Update-3) |
| 7.0 rev.130918 (Update-2) |
| 7.0 rev.130810 (Update-1) |
| 7.0 rev.130424 (Initial Release) |
| 6.6.0 rev.140410 (Update-8) |
| 6.6.0 rev.131211 (Update-7) |
| 6.6.0 rev.130529 (Service Pack-1) |
| 6.6.0 rev.130404 (Update-5) |
| 6.6.0 rev.130214 (Update-4) |
| 6.6.0 rev.130111 (Update-3) |
| 6.6.0 rev.121203 (Update-2) |
| 6.6.0 rev.121015 (Update-1) |
| 6.6.0 rev.120918 (Initial Release) |
| 6.6.0 rev.120622 (Technical Preview) |
| 6.5.0 rev.121009 (Service Pack-2) |
| 6.5.0 rev.120706 (Service Pack-1) |
| 6.5.0 rev.120427 (Update-4) |
| 6.5.0 rev.111230 (Update-3) |
| 6.5.0 rev.111123 (Update-2) |
| 6.5.0 rev.110818 (Update-1) |
| 6.5.0 rev.110602 (Initial Release) |
| 6.4.1 rev.120113 (Update-6) |
| 6.4.1 rev.111003 (Update-5) |
| 6.4.1 rev.110928 (Update-4) |
| 6.4.1 rev.110720 (Update-3) |
| 6.4.1 rev.110621 (Update-2) |
| 6.4.1 rev.110324 (Update-1) |
| 6.4.1 rev.101221 (Initial Release) |
| 6.4.0 rev.101124 (Update-1) |
| 6.4.0 rev.101012 (Initial Release) |
| 4.1.0 rev. 131010 (Initial Release) |
| 4.0.0 rev. 130523 (Initial Release) |
| 4.1.0 rev. 130621 (Initial Release |
| 4.0.0 rev. 121129 (Initial Release) |
| 4.0.0 rev. 120711 (Technical Preview) |
The fix may be implemented through a Scripted Installation or a Manual Installation.
If you already installed the Q1 2014 Security Update, you do not need to apply any changes. Just verify that the changes described in the "Solution - Manual Installation" section below are applied to your Sitecore solution.
Note: The Scripted Installation will fail on any Sitecore installation where the /sitecore folder has been removed or is not accessible for the account used to run the script due to file system security restrictions. Please complete the Manual Installation instructions for each installation of Sitecore where the Scripted Installation fails.
For customers and partners who are familiar with executing PowerShell scripts, Sitecore provides a Scripted Installation option. Executing this script will produce the same end result as implementing the manual instructions.
If you are not familiar with executing PowerShell scripts or if this not permitted in your server environment, Sitecore recommends following the Manual Installation instructions that follow this section.
To install, download and unzip the Sitecore.FixIt.409770.zip. Follow the README.FIRST.txt instructions in the extracted archive for required installation steps.
The script should be run on all servers where Sitecore is installed. Alternatively, the script should be run on lower environments and promoted to production environments through your preferred release process.
The script provides pre-verification, installation and post-verification steps. Pre-verification checks to see which fixes apply to your version and verifies that affected files are in the expected locations. Installation makes file changes to various files in the Sitecore web root and automatically creates backup copies of the files prior to introducing modifications. Post-verification validates that changes were made as expected.
Note: When you download the .zip archive, Windows may block the archive to help protect your computer. To unblock the archive, right-click the file, select Properties and click the "Unblock" button on the General tab.
Note: Due to the underlying .NET Framework APIs used in the Scripted Installation, minor changes in spacing may be made to xml-based configuration files.
If you already installed the Q1 2014 Security Update, you do not need to apply any changes. Just verify that the changes described below are applied to your Sitecore solution.
Sitecore provides Manual Installation instructions for customers who are unfamiliar with executing PowerShell scripts or who lack required permissions to execute the Scripted Installation. These instructions may also be required if the Scripted Installation cannot be successfully completed due to specifics of the environment configuration or reports unexpected configuration during the pre-verification step.
Installation Instructions For Fix #400290:
The Sitecore icon handler node in the "/configuration/system.web/httpHandlers" section should be configured with the following values:<add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.400290" name="Sitecore.Support.400290.IconRequestHandler"/>
<add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.400290"/>