sitecore_scan 0.0.3 → 0.0.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bd30c3c23e866d2f966d0b69cf5ebc3d23a6008661ad2b127f186fa6944e3917
4
- data.tar.gz: 4d4f9c8c9acf5be5ec3171e417a104a9a6c1408bf28962882f567f07218c99ce
3
+ metadata.gz: b678037d9c8815435b9e010914c27478105b0edb7b5d3c894cfb1fccb7cb3107
4
+ data.tar.gz: 7da2e224e3427c8e9f8f34b42acc1970e5ccfd3ccfccbd7e27b956e53a1efdf7
5
5
  SHA512:
6
- metadata.gz: bd74227b8846e8168fad58a01f392fb36dc0b1fb0c482a3763518e8f9256e3beadca1634fbb3d1519c0f5d757a8f4689ce07b2029d1a9ce9e5f118f9947450cc
7
- data.tar.gz: 30462814098889ac8b478435d469f86c34e4a05b4cb824d83ffb8b94331a22193edabce3bd6af5d5c793c07fb3e49a73e9301acec2de6f5e17baa9a498d5bd8a
6
+ metadata.gz: 487fb1c72d1adf02654b5b22d887bc0d1774f5521ff299c04dfbf8f57e2ecf819bcc2cc732bef59bad37cf1c026bbe701716432c0d67c793ec2717768aa3ac85
7
+ data.tar.gz: ae6bb06f1925ab086b744ea4cd46768028a95af647da39c240cc64a8d59b5bd569044fe338f2a9d2e6f7473622054cdec110d0004a23195dca7ed319a58a2582
data/bin/sitecore-scan CHANGED
@@ -93,8 +93,7 @@ def scan(url, check: true, insecure: false, verbose: false)
93
93
 
94
94
  # Check if the URL is Sitecore
95
95
  if check
96
- is_sitecore = SitecoreScan::detectSitecore(url)
97
- unless is_sitecore
96
+ unless SitecoreScan::detectSitecore(url)
98
97
  puts '- Sitecore not found'
99
98
  exit(1)
100
99
  end
@@ -106,20 +105,19 @@ def scan(url, check: true, insecure: false, verbose: false)
106
105
  puts "+ Version: #{version}" if version
107
106
 
108
107
  # Check if Glimpse debugging is enabled
109
- glimpse = SitecoreScan::glimpseDebugging(url)
110
- puts "+ Glimpse debugging is enabled" if glimpse
108
+ puts "+ Glimpse debugging is enabled" if SitecoreScan::glimpseDebugging(url)
111
109
 
112
110
  # Check if SOAP API is accessible
113
- soap_api = SitecoreScan::soapApi(url)
114
- puts "+ SOAP API is available" if soap_api
111
+ puts "+ SOAP API is available" if SitecoreScan::soapApi(url)
112
+
113
+ # Check if MVC Device Simulator allows file disclosure
114
+ puts "+ MVC Device Simulator allows file disclosure" if SitecoreScan::mvcDeviceSimulatorFileDisclosure(url)
115
115
 
116
116
  # Check if Executive Insight Dashboard reporting is accessible
117
- reporting = SitecoreScan::dashboardReporting(url)
118
- puts "+ Executive Insight Dashboard reporting is available" if reporting
117
+ puts "+ Executive Insight Dashboard reporting is available" if SitecoreScan::dashboardReporting(url)
119
118
 
120
119
  # Check if Telerik Web UI is accessible
121
- telerik = SitecoreScan::telerikWebUi(url)
122
- puts "+ Telerik Web Ui is available" if telerik
120
+ puts "+ Telerik Web Ui is available" if SitecoreScan::telerikWebUi(url)
123
121
 
124
122
  puts "Scan finished at #{Time.now.getutc}"
125
123
  puts '-' * 60
data/lib/sitecore_scan.rb CHANGED
@@ -11,7 +11,7 @@ require 'openssl'
11
11
  require 'stringio'
12
12
 
13
13
  class SitecoreScan
14
- VERSION = '0.0.3'.freeze
14
+ VERSION = '0.0.4'.freeze
15
15
 
16
16
  def self.logger
17
17
  @logger
@@ -30,13 +30,27 @@ class SitecoreScan
30
30
  end
31
31
 
32
32
  #
33
- # Check if URL is running Sitecore using edit mode
33
+ # Check if URL is running Sitecore
34
34
  #
35
35
  # @param [String] URL
36
36
  #
37
37
  # @return [Boolean]
38
38
  #
39
39
  def self.detectSitecore(url)
40
+ return true if detectSitecoreEditMode(url)
41
+ return true if detectSitecoreErrorRedirect(url)
42
+
43
+ false
44
+ end
45
+
46
+ #
47
+ # Check if URL is running Sitecore using edit mode
48
+ #
49
+ # @param [String] URL
50
+ #
51
+ # @return [Boolean]
52
+ #
53
+ def self.detectSitecoreEditMode(url)
40
54
  url += '/' unless url.to_s.end_with? '/'
41
55
  res = sendHttpRequest("#{url}?sc_mode=edit")
42
56
 
@@ -49,6 +63,25 @@ class SitecoreScan
49
63
  false
50
64
  end
51
65
 
66
+ #
67
+ # Check if URL is running Sitecore using error redirect
68
+ #
69
+ # @param [String] URL
70
+ #
71
+ # @return [Boolean]
72
+ #
73
+ def self.detectSitecoreErrorRedirect(url)
74
+ url += '/' unless url.to_s.end_with? '/'
75
+ res = sendHttpRequest("#{url}#{('a'..'z').to_a.shuffle[0,8].join}.aspx")
76
+
77
+ return false unless res
78
+
79
+ return true if res['sitecore-item']
80
+ return true if res.code.to_i == 302 && res['location'].to_s.downcase.include?('sitecore/service/notfound.aspx')
81
+
82
+ false
83
+ end
84
+
52
85
  #
53
86
  # Retrieve Sitecore version from Login page
54
87
  #
@@ -109,6 +142,28 @@ class SitecoreScan
109
142
  true
110
143
  end
111
144
 
145
+ #
146
+ # Check if MVC Device Simulator allows file disclosure (SC2023-001-568150)
147
+ # https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002925
148
+ # https://blog.assetnote.io/2023/05/10/sitecore-round-two/
149
+ #
150
+ # @param [String] URL
151
+ #
152
+ # @return [Boolean]
153
+ #
154
+ def self.mvcDeviceSimulatorFileDisclosure(url)
155
+ url += '/' unless url.to_s.end_with? '/'
156
+ res = sendHttpRequest("#{url}api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview?previewPath=/App_Data/license.xml")
157
+
158
+ return false unless res
159
+ return false unless res.code.to_i == 200
160
+ return false unless res.body.to_s.include?('<?xml')
161
+ return false unless res.body.to_s.include?('sitecore')
162
+ return false unless res.body.to_s.include?('signedlicense')
163
+
164
+ true
165
+ end
166
+
112
167
  #
113
168
  # Check if Executive Insight Dashboard reporting is accessible (CVE-2021-42237)
114
169
  # https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
@@ -123,7 +178,7 @@ class SitecoreScan
123
178
 
124
179
  return false unless res
125
180
  return false unless res.code.to_i == 200
126
- return false unless res.body.to_s.include? 'Sitecore.Analytics.Reporting'
181
+ return false unless res.body.to_s.include?('Sitecore.Analytics.Reporting')
127
182
 
128
183
  true
129
184
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sitecore_scan
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.3
4
+ version: 0.0.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Brendan Coles
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-02-09 00:00:00.000000000 Z
11
+ date: 2024-05-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logger
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: '1.4'
19
+ version: '1.6'
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: '1.4'
26
+ version: '1.6'
27
27
  description: A simple remote scanner for Sitecore CMS
28
28
  email: bcoles@gmail.com
29
29
  executables:
@@ -37,7 +37,7 @@ homepage: https://github.com/bcoles/sitecore_scan
37
37
  licenses:
38
38
  - MIT
39
39
  metadata: {}
40
- post_install_message:
40
+ post_install_message:
41
41
  rdoc_options: []
42
42
  require_paths:
43
43
  - lib
@@ -45,15 +45,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
45
45
  requirements:
46
46
  - - ">="
47
47
  - !ruby/object:Gem::Version
48
- version: 2.0.0
48
+ version: 2.5.0
49
49
  required_rubygems_version: !ruby/object:Gem::Requirement
50
50
  requirements:
51
51
  - - ">="
52
52
  - !ruby/object:Gem::Version
53
53
  version: '0'
54
54
  requirements: []
55
- rubygems_version: 3.3.7
56
- signing_key:
55
+ rubygems_version: 3.3.26
56
+ signing_key:
57
57
  specification_version: 4
58
58
  summary: Sitecore scanner
59
59
  test_files: []