Description

Sitecore has determined that a specially-crafted URL may allow website visitors to download files under the web root of the site when the name of the file is already known to the visitor. Affected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing.

Availability Of The Fix In Public Releases

This issue is fixed in:

• Sitecore XP 8.0 Initial Release (rev. 141212)
• Sitecore CMS 7.5 Update-1 (rev. 150130)
• Sitecore CMS 7.2 Update-3 (rev. 141226)

How To Determine Your Sitecore Version

1. Find the sitecore.version.xml file in the \Website\sitecore\shell folder.
2. Open the file via Notepad or Internet Explorer.
3. The combined value of the <major>, <minor>, <revision> fields is the Sitecore version.

Solution

Installation Instructions for Fix #424428:

1. Download and copy the Sitecore.Support.424428 file to the \bin folder. Depending on the .NET version you are running, select the proper version for download:
   • Sitecore.Support.424428.dll for .NET2
   • Sitecore.Support.424428.dll for .NET4
2. In the web.config file replace this line        

   <processor type="Sitecore.Pipelines.PreprocessRequest.IIS404Handler, Sitecore.Kernel" />

   with this line

   <processor type="Sitecore.Support.Pipelines.PreprocessRequest.IIS404Handler, Sitecore.Support.424428" />

3. In the section <preprocessRequest help="Processors should derive from Sitecore.Pipelines.PreprocessRequest.PreprocessRequestProcessor"> 
   
   change this line 

   <param desc="Blocked extensions that do not stream files (comma separated)"></param>

   and add the "dll" extension    

   <param desc="Blocked extensions that do not stream files (comma separated)">dll</param>