Archive for February, 2021

Should you trust your own website ?

15/02/2021 Leave a comment

Let’s start with a question:
Should you trust data downloaded from your own website?

As a rule of thumb NO ! especially not if what you download contains user generated input, as an example data collected from Sitecore Form.

There is something interesting about this, because there is a trust relation for editors to their own site, most editors “i hope” will see their own site as a trustworthy source for downloads, and why shouldn’t they .But is this really true ? In this blog post I will give an example of how Sitecore can be used as a vessel to deliver a malicious payload to an unknown editor “victim”. 

For this I’ve used the latest version of Sitecore 10.0.1 in XM mode.

To enable this let’s assume an editor creates a Form like the one below but it could be any form with fields that allows for text input.


Now after publishing the form the attacker sees form “sorry for missing styling:)”


For testing purposes  i will use a very simple payload “=1+1*cmd|’/k echo backdor’!z” which opens an command prompt and display the texst backdoor. More  payloads can be found here also note that could be other that are more relevant for other application and not Excel specificly.

The vulnerability used here is better known as csv injection or formula injection

Now after some time the editors want to get the data from his newly created form. He logins into Sitecore and navigates to his form and exports the data “btw only way to view Forms collected data in Sitecore OTB”

Now the next part is he opens the csv file in Excel “please note I’ve enabled what can be seen as an insecure setting in Excel see below.

Now lets see what happens when the editor opens the csv file

Excel does show an alert, and this is where the trust comes into play because why wouldn’t the editor accept the warning and continue.

So now lets see what happens after he accepts the warnings

A nice little command prompt has opened with the text defined in our payload earlier. 

So the question is this a vulnerability in Sitecore ? No or ….. You could filter out characters that could allow these attacks or you could simply add an “‘“ in front of all fields when exported, I will leave it to you to decide, but at least you should tell your customers to regard it as an insecure source when downloading content that contains user generated input. And please MAKE SURE TO DISABLE  “enable dynamic data exchange server launch” in excel. Note this also works for applications then excel., maybe with a different payload.

Categories: Security, Sitecore Tags: ,