Q1 2014 Security Update


Description

Sitecore has identified two security issues that affect various versions of Sitecore CMS, Sitecore Intranet Portal and Sitecore Foundry (see table below). Sitecore Corp. would like to give credit to NCC for the discovery of the security vulnerabilities addressed in this fix and for their cooperation.
The fix does not introduce new functionality or change expected system behavior.

How to find your Sitecore version:
  1. Find the Sitecore.Kernel dll in the "[site root]\bin" folder.
  2. Right click on the dll and select "Properties".
  3. Open the "Details" tab.
  4. The value of the "Product version" field is the Sitecore version.

Affected Sitecore Products, Versions and Required fix(es):

Sitecore CMS

Sitecore CMS Version Fix 400290 Fix 400292
7.2 rev.140314 (Update-1) Yes No
7.2 rev.140228 (Initital Release) Yes No
7.1 rev.140324 (Update-2) Yes No
7.1 rev.140130 (Update-1) Yes No
7.1 rev.130926 (Initial Release) Yes Yes
7.0 rev.140408 (Update-5) No No
7.0 rev.140120 (Update-4) Yes No
7.0 rev.131127 (Update-3) Yes Yes
7.0 rev.130918 (Update-2) Yes Yes
7.0 rev.130810 (Update-1) Yes Yes
7.0 rev.130424 (Initial Release) Yes Yes
6.6.0 rev.140410 (Update-8) No No
6.6.0 rev.131211 (Update-7) Yes No
6.6.0 rev.130529 (Service Pack-1) Yes Yes
6.6.0 rev.130404 (Update-5) Yes Yes
6.6.0 rev.130214 (Update-4) Yes Yes
6.6.0 rev.130111 (Update-3) Yes Yes
6.6.0 rev.121203 (Update-2) Yes Yes
6.6.0 rev.121015 (Update-1) Yes Yes
6.6.0 rev.120918 (Initial Release) Yes Yes
6.6.0 rev.120622 (Technical Preview) Yes Yes
6.5.0 rev.121009 (Service Pack-2) Yes Yes
6.5.0 rev.120706 (Service Pack-1) Yes Yes
6.5.0 rev.120427 (Update-4) Yes Yes
6.5.0 rev.111230 (Update-3) Yes Yes
6.5.0 rev.111123 (Update-2) Yes Yes
6.5.0 rev.110818 (Update-1) Yes Yes
6.5.0 rev.110602 (Initial Release) Yes Yes
6.4.1 rev.120113 (Update-6) Yes Yes
6.4.1 rev.111003 (Update-5) Yes Yes
6.4.1 rev.110928 (Update-4) Yes Yes
6.4.1 rev.110720 (Update-3) Yes Yes
6.4.1 rev.110621 (Update-2) Yes Yes
6.4.1 rev.110324 (Update-1) Yes Yes
6.4.1 rev.101221 (Initial Release) Yes Yes
6.4.0 rev.101124 (Update-1) Yes Yes
6.4.0 rev.101012 (Initial Release) Yes Yes
6.3.1 rev.110112 (Initial Release) No Yes
6.3.0 rev.101029 (Update-3) No Yes
6.3.0 rev.100928 (Update-2) No Yes
6.3.0 rev.100830 (Update-1) No Yes
6.3.0 rev.100716 (Initial Release) No Yes
6.2.0 rev.101105 (Update-5) No Yes
6.2.0 rev.100831 (Update-4) No Yes
6.2.0 rev.100701 (Update-3) No Yes
6.2.0 rev.100507 (Update-2) No Yes
6.2.0 rev.100104 (Update-1) No Yes
6.2.0 rev.091012 (Initial Release) No Yes
6.1.0 rev.091029 (Update-3) No Yes
6.1.0 rev.090821 (Update-2) No Yes
6.1.0 rev.090722 (Update-1) No Yes
6.1.0 rev.090630 (Initial Release) No Yes

Sitecore Intranet Portal

Sitecore Intranet Portal Version Fix 400290 Fix 400292
3.0.0 rev. 090724 (Initial Release) No Yes
3.0.0 rev. 091126 (Update-1) No Yes
3.1.0 rev. 100421 (Initial Release) No Yes
3.1.0 rev. 100726 (Update-1) No Yes
3.1.0 rev. 100921 (Update-2) No Yes
3.2.0 rev. 101202 (Initial Release) No Yes
3.3.0 rev. 111102 (Initial Release) No Yes
3.3.0 rev. 120208 (Update-1) No Yes
4.0.0 rev. 130523 (Initial Release) Yes Yes
4.1.0 rev. 131010 (Initial Release) Yes Yes

Sitecore Foundry

Sitecore Foundry Version Fix 400290 Fix 400292
3.0.0 rev. 090814 (Initial Release) No Yes
3.0.0 rev. 091008 No Yes
4.0.0 rev. 120711 (Technical Preview) Yes Yes
4.0.0 rev. 121129 (Initial Release) Yes Yes
4.1.0 rev. 130621 (Initial Release) Yes Yes

Solution

The fix may be implemented through a Scripted Installation or a Manual Installation.

Scripted Installation

Note: The Scripted Installation will fail on any Sitecore installation where the /sitecore folder has been removed or is not accessible for the account used to run the script due to file system security restrictions. Please complete the Manual Installation instructions for each installation of Sitecore where the Scripted Installation fails.

For customers and partners who are familiar with executing PowerShell scripts, Sitecore provides a Scripted Installation option. Executing this script will produce the same end result as implementing the manual instructions.

If you are not familiar with executing PowerShell scripts or if this not permitted in your server environment, Sitecore recommends following the Manual Installation instructions that follow this section.

To install, download and unzip the Sitecore.FixIt.400290.400292.zip. Follow the README.FIRST.txt instructions in the extracted archive for required installation steps.

The script should be run on all servers where Sitecore is installed. Alternatively, the script should be run on lower environments and promoted to production environments through your preferred release process.

The script provides pre-verification, installation and post-verification steps. Pre-verification checks to see which fixes apply to your version and verifies that affected files are in the expected locations. Installation makes file changes to various files in the Sitecore web root and automatically creates backup copies of the files prior to introducing modifications. Post-verification validates that changes were made as expected.

Note: When you download the .zip archive, Windows may block the archive to help protect your computer. To unblock the archive, right-click the file, select Properties and click the "Unblock" button on the General tab.

Note: Due to the underlying .NET Framework APIs used in the Scripted Installation, minor changes in spacing may be made to xml-based configuration files.

Manual Installation

Sitecore provides Manual Installation instructions for customers who are unfamiliar with executing PowerShell scripts or who lack required permissions to execute the Scripted Installation. These instructions may also be required if the Scripted Installation cannot be successfully completed due to specifics of the environment configuration or reports unexpected configuration during the pre-verification step.

Installation Instructions For Fix #400290:

  1. Copy the Sitecore.Support.400290.dll file into the '/bin' folder of the Sitecore instance.
  2. In the "Web.config" file:
    REPLACE:
    The Sitecore icon handler node in the "/configuration/system.webServer/handlers" section    

    WITH: 
    <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.400290" name="Sitecore.Support.400290.IconRequestHandler"/>
    REPLACE:  
    The Sitecore icon handler node in the "/configuration/system.web/httpHandlers" section

    WITH: 
    <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.400290"/>
Installation Instructions For Fix #400292:

Note: The installation instructions for Fix #400292 may be skipped for each Sitecore installation where the /sitecore folder has been removed.

  1. Copy the Sitecore.Support.400292.400293.dll file into the '/bin' folder of the Sitecore instance.
  2. In the "\App_Config\Commands.config" file:
    REPLACE:
    <command name="item:upload" type="Sitecore.Shell.Framework.Commands.Upload,Sitecore.Kernel" />
    WITH:
    <command name="item:upload" type="Sitecore.Support.Shell.Framework.Commands.Upload,Sitecore.Support.400292.400293" />
  3. In the "\sitecore\shell\Applications\Dialogs\Upload\Upload2.aspx" file:
    REPLACE:
    Inherits="Sitecore.Shell.Applications.Dialogs.Upload.UploadPage2" %>
    WITH:
    Inherits="Sitecore.Support.Shell.Applications.Dialogs.Upload.UploadPage2" %>
  4. In the "\sitecore\shell\Applications\Dialogs\Upload\Upload.xml" file:
    REPLACE:
    <WizardForm CodeBeside="Sitecore.Shell.Applications.Dialogs.Upload.UploadForm,Sitecore.Client" FormTarget="sitecoreupload" Enctype="multipart/form-data" GridPanel.Height="100%">
    WITH:
    <WizardForm CodeBeside="Sitecore.Support.Shell.Applications.Dialogs.Upload.UploadForm,Sitecore.Support.400292.400293" FormTarget="sitecoreupload" Enctype="multipart/form-data" GridPanel.Height="100%">
  5. In the "\sitecore\shell\Applications\Files\FileExplorer\FileExplorer.xml" file:
    REPLACE:
    <CodeBeside Type="Sitecore.Shell.Applications.Files.FileExplorer.FileExplorerForm,Sitecore.Client"/>
    WITH:
    <CodeBeside Type="Sitecore.Support.Shell.Applications.Files.FileExplorer.FileExplorerForm,Sitecore.Support.400292.400293"/>
  6. In the "\sitecore\shell\Applications\Files\FileBrowser\FileBrowser.xml" file:
    REPLACE:
    <CodeBeside Type="Sitecore.Shell.Applications.Files.FileBrowser.FileBrowserForm,Sitecore.Client" Submittable="false"/>
    WITH:
    <CodeBeside Type="Sitecore.Support.Shell.Applications.Files.FileBrowser.FileBrowserForm,Sitecore.Support.400292.400293" Submittable="false"/>
  7. In the "\sitecore\shell\Applications\Files\FileBrowser\FileBrowser.xml" file:
    REPLACE:
    <Button ID="UploadButton" Header="Upload" def:placeholder="Buttons" Click="filebrowser:upload"/>
    WITH:
    <Button ID="UploadButton" Header="Upload" def:placeholder="Buttons" Click="filebrowser:uploadfixed"/>
    Note: In some versions of Sitecore CMS the definition for the 'Button' element is different. In case the above text can not be found within the 'FileBrowser.xml' file, use the following procedure:

    REPLACE:
    <Button Header="Upload" def:placeholder="Buttons" Click="filebrowser:upload"/>
    WITH:
    <Button Header="Upload" def:placeholder="Buttons" Click="filebrowser:uploadfixed"/>
  8. In the "\sitecore\shell\Applications\Install\Dialogs\File Browser\File browser.xml" file:
    REPLACE:
    <CodeBeside Type="Sitecore.Shell.Applications.Install.Dialogs.FileBrowserForm,Sitecore.Client"/>
    WITH:
    <CodeBeside Type="Sitecore.Support.Shell.Applications.Install.Dialogs.FileBrowserForm,Sitecore.Support.400292.400293"/>
  9. In the "\sitecore\shell\Applications\Layouts\IDE\Windows\Media Library\IDE Media Library.xml" file:

    REPLACE:
    <CodeBeside Type="Sitecore.Shell.Applications.Layouts.IDE.Windows.MediaLibrary.MediaLibraryForm,Sitecore.Client"/>
    WITH:
    <CodeBeside Type="Sitecore.Support.Shell.Applications.Layouts.IDE.Windows.MediaLibrary.MediaLibraryForm,Sitecore.Support.400292.400293"/>