Sitecore Hardening - Limiting Access to .XML, .XSLT, and .MRT Files , Issues & how to fix it

 

There was a vulnerability reported related to robots.txt during a pen test.

In this case, it has been detected that information is being disclosed about the path of the sitemap.xml file which list all the endpoints of the application.

In the same vein, sitemap.xml reveals information about the features of the application's private section.

 

To resolve the solution was to limit access to .xml files, which is suggested by Sitecore

https://doc.sitecore.com/xp/en/developers/93/platform-administration-and-architecture/limit-access-to-xml,-xslt,-and-mrt-files.html

But in spite of updating the web.config with the handlers mentioned below the Sitecore website was ignoring the handlers and still continuing to process the sitemap.xml like a normal request.

<add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode"/>

<add path="*.xslt" verb="*" type="System.Web.HttpForbiddenHandler" name="xslt (integrated)" preCondition="integratedMode"/>

<add path="*.config.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="config.xml (integrated)" preCondition="integratedMode"/>

<add path="*.mrt" verb="*" type="System.Web.HttpForbiddenHandler" name="mrt (integrated)" preCondition="integratedMode"/>

 

 

This was confirmed by looking at IIS Logs

2022-01-18 07:23:50 127.0.0.1 GET /portal/sitemap.xml - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/97.0.4692.71+Safari/537.36 - 200 0 0 15


2022-01-18 07:23:59 127.0.0.1 GET /portal/sitemap.xml - 80 - 127.0.0.1 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/97.0.4692.71+Safari/537.36 - 200 0 0 9

 

Deep dive analysis revealed that the static file handler was overriding the . xml (integrated)handler

<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />

 

So, there were two possible solutions to overcome this behavior

Option 1 - Remove static file handler

But this solution will impact on other static files served from the app service

<handlers>

<remove name="StaticFile" />

Option 2 – File Extension Filtering (Preferred)

<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="524288000" />
<fileExtensions>
<add fileExtension=".xml" allowed="false" />

<add fileExtension=".xslt " allowed="false" />
<add fileExtension=".mrt " allowed="false" />
</fileExtensions>
</requestFiltering>
</security>

 

 

 

 

 

Comments

Post a Comment

Popular posts from this blog

Sitecore: Performance issue on page load, Analytics?

Image
  Background of Infra: ·           The App service is hosted inside Isolated App Service Environment. ·          Sitecore XP Scaled topology used. ·          Sitecore Version: 9.1.1   Issue & Troubleshooting The website started experiencing slowness in Page load, sometimes it was taking more than a minute. On checking the Profiler trace it was found that the Sitecore analytics process is getting blocked while creating a tracker object.     StackTrace     ROOT    Sitecore.Mvc!Sitecore.Mvc.Routing.RouteHttpHandler.BeginProcessRequest     Sitecore.Mvc!Sitecore.Mvc.Pipelines.PipelineService.RunPipeline     Sitecore.Kernel!Sitecore.Pipelines.DefaultCorePipelineManager.Run     Sitecore.Kernel!Sitecore.Pipelines.DefaultCorePipelineManager.Run     Si...
Read more

Sitecore App Service Backup Problems and solutions

    1.        Backup Size crossing the threshold a.        Problem The Microsoft threshold for backups is 10 GB. Sometimes there are situations encountered where the Web App size has crossed this limit and because of which the backups would fail. b.        Solution All files from /App_Data are either:   ·          Temporary files for caching purposes ·          Diagnostic data for debugging purposes They shouldn't affect any Sitecore functionalities if they are not restored from the backup files. But in case if there are any missing files from /App_Data in the future, some of them would automatically populate itself with data.   Create a Backup Filter 1)        Create a file named _backup.filter in D:\home\site\wwwroot through Kudu console ( h...
Read more

How to go to a Complete Sitecore Cloud Native from Sitecore XP?

Image
  How to go to a Complete Sitecore Cloud Native from Sitecore XP. Introduction   In this blog, I’ll try to explain the need to consider going towards a Sitecore Cloud Native solution while upgrading your Sitecore solution to 10.x version & also a high-level road map to get there. Why Sitecore Cloud Native? ·        Tech landscape will be in line with industry trend Microservices-based, API-first, Cloud-native, and Headless (MACH) compliant ·        Sitecore CDP is better and more advanced integration and analytics (in line with current trend of “cookie less marketing”) ·        Sitecore Cloud Native solution is completely different from the way XP works. Here we can plug and play SaaS Components like Personalize, send etc as and when required. ·        Whereas Sitecore XP license brings in all the components as it is a monolithic architectur...
Read more