sitecore_scan 0.0.3 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/bin/sitecore-scan +8 -10
  3. data/lib/sitecore_scan.rb +58 -3
  4. metadata +9 -9
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bd30c3c23e866d2f966d0b69cf5ebc3d23a6008661ad2b127f186fa6944e3917
4
- data.tar.gz: 4d4f9c8c9acf5be5ec3171e417a104a9a6c1408bf28962882f567f07218c99ce
3
+ metadata.gz: b678037d9c8815435b9e010914c27478105b0edb7b5d3c894cfb1fccb7cb3107
4
+ data.tar.gz: 7da2e224e3427c8e9f8f34b42acc1970e5ccfd3ccfccbd7e27b956e53a1efdf7
5
5
  SHA512:
6
- metadata.gz: bd74227b8846e8168fad58a01f392fb36dc0b1fb0c482a3763518e8f9256e3beadca1634fbb3d1519c0f5d757a8f4689ce07b2029d1a9ce9e5f118f9947450cc
7
- data.tar.gz: 30462814098889ac8b478435d469f86c34e4a05b4cb824d83ffb8b94331a22193edabce3bd6af5d5c793c07fb3e49a73e9301acec2de6f5e17baa9a498d5bd8a
6
+ metadata.gz: 487fb1c72d1adf02654b5b22d887bc0d1774f5521ff299c04dfbf8f57e2ecf819bcc2cc732bef59bad37cf1c026bbe701716432c0d67c793ec2717768aa3ac85
7
+ data.tar.gz: ae6bb06f1925ab086b744ea4cd46768028a95af647da39c240cc64a8d59b5bd569044fe338f2a9d2e6f7473622054cdec110d0004a23195dca7ed319a58a2582
data/bin/sitecore-scan CHANGED
@@ -93,8 +93,7 @@ def scan(url, check: true, insecure: false, verbose: false)
93
93
 
94
94
  # Check if the URL is Sitecore
95
95
  if check
96
- is_sitecore = SitecoreScan::detectSitecore(url)
97
- unless is_sitecore
96
+ unless SitecoreScan::detectSitecore(url)
98
97
  puts '- Sitecore not found'
99
98
  exit(1)
100
99
  end
@@ -106,20 +105,19 @@ def scan(url, check: true, insecure: false, verbose: false)
106
105
  puts "+ Version: #{version}" if version
107
106
 
108
107
  # Check if Glimpse debugging is enabled
109
- glimpse = SitecoreScan::glimpseDebugging(url)
110
- puts "+ Glimpse debugging is enabled" if glimpse
108
+ puts "+ Glimpse debugging is enabled" if SitecoreScan::glimpseDebugging(url)
111
109
 
112
110
  # Check if SOAP API is accessible
113
- soap_api = SitecoreScan::soapApi(url)
114
- puts "+ SOAP API is available" if soap_api
111
+ puts "+ SOAP API is available" if SitecoreScan::soapApi(url)
112
+
113
+ # Check if MVC Device Simulator allows file disclosure
114
+ puts "+ MVC Device Simulator allows file disclosure" if SitecoreScan::mvcDeviceSimulatorFileDisclosure(url)
115
115
 
116
116
  # Check if Executive Insight Dashboard reporting is accessible
117
- reporting = SitecoreScan::dashboardReporting(url)
118
- puts "+ Executive Insight Dashboard reporting is available" if reporting
117
+ puts "+ Executive Insight Dashboard reporting is available" if SitecoreScan::dashboardReporting(url)
119
118
 
120
119
  # Check if Telerik Web UI is accessible
121
- telerik = SitecoreScan::telerikWebUi(url)
122
- puts "+ Telerik Web Ui is available" if telerik
120
+ puts "+ Telerik Web Ui is available" if SitecoreScan::telerikWebUi(url)
123
121
 
124
122
  puts "Scan finished at #{Time.now.getutc}"
125
123
  puts '-' * 60
data/lib/sitecore_scan.rb CHANGED
@@ -11,7 +11,7 @@ require 'openssl'
11
11
  require 'stringio'
12
12
 
13
13
  class SitecoreScan
14
- VERSION = '0.0.3'.freeze
14
+ VERSION = '0.0.4'.freeze
15
15
 
16
16
  def self.logger
17
17
  @logger
@@ -30,13 +30,27 @@ class SitecoreScan
30
30
  end
31
31
 
32
32
  #
33
- # Check if URL is running Sitecore using edit mode
33
+ # Check if URL is running Sitecore
34
34
  #
35
35
  # @param [String] URL
36
36
  #
37
37
  # @return [Boolean]
38
38
  #
39
39
  def self.detectSitecore(url)
40
+ return true if detectSitecoreEditMode(url)
41
+ return true if detectSitecoreErrorRedirect(url)
42
+
43
+ false
44
+ end
45
+
46
+ #
47
+ # Check if URL is running Sitecore using edit mode
48
+ #
49
+ # @param [String] URL
50
+ #
51
+ # @return [Boolean]
52
+ #
53
+ def self.detectSitecoreEditMode(url)
40
54
  url += '/' unless url.to_s.end_with? '/'
41
55
  res = sendHttpRequest("#{url}?sc_mode=edit")
42
56
 
@@ -49,6 +63,25 @@ class SitecoreScan
49
63
  false
50
64
  end
51
65
 
66
+ #
67
+ # Check if URL is running Sitecore using error redirect
68
+ #
69
+ # @param [String] URL
70
+ #
71
+ # @return [Boolean]
72
+ #
73
+ def self.detectSitecoreErrorRedirect(url)
74
+ url += '/' unless url.to_s.end_with? '/'
75
+ res = sendHttpRequest("#{url}#{('a'..'z').to_a.shuffle[0,8].join}.aspx")
76
+
77
+ return false unless res
78
+
79
+ return true if res['sitecore-item']
80
+ return true if res.code.to_i == 302 && res['location'].to_s.downcase.include?('sitecore/service/notfound.aspx')
81
+
82
+ false
83
+ end
84
+
52
85
  #
53
86
  # Retrieve Sitecore version from Login page
54
87
  #
@@ -109,6 +142,28 @@ class SitecoreScan
109
142
  true
110
143
  end
111
144
 
145
+ #
146
+ # Check if MVC Device Simulator allows file disclosure (SC2023-001-568150)
147
+ # https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002925
148
+ # https://blog.assetnote.io/2023/05/10/sitecore-round-two/
149
+ #
150
+ # @param [String] URL
151
+ #
152
+ # @return [Boolean]
153
+ #
154
+ def self.mvcDeviceSimulatorFileDisclosure(url)
155
+ url += '/' unless url.to_s.end_with? '/'
156
+ res = sendHttpRequest("#{url}api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview?previewPath=/App_Data/license.xml")
157
+
158
+ return false unless res
159
+ return false unless res.code.to_i == 200
160
+ return false unless res.body.to_s.include?('<?xml')
161
+ return false unless res.body.to_s.include?('sitecore')
162
+ return false unless res.body.to_s.include?('signedlicense')
163
+
164
+ true
165
+ end
166
+
112
167
  #
113
168
  # Check if Executive Insight Dashboard reporting is accessible (CVE-2021-42237)
114
169
  # https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
@@ -123,7 +178,7 @@ class SitecoreScan
123
178
 
124
179
  return false unless res
125
180
  return false unless res.code.to_i == 200
126
- return false unless res.body.to_s.include? 'Sitecore.Analytics.Reporting'
181
+ return false unless res.body.to_s.include?('Sitecore.Analytics.Reporting')
127
182
 
128
183
  true
129
184
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sitecore_scan
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.3
4
+ version: 0.0.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Brendan Coles
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-02-09 00:00:00.000000000 Z
11
+ date: 2024-05-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: logger
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: '1.4'
19
+ version: '1.6'
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: '1.4'
26
+ version: '1.6'
27
27
  description: A simple remote scanner for Sitecore CMS
28
28
  email: bcoles@gmail.com
29
29
  executables:
@@ -37,7 +37,7 @@ homepage: https://github.com/bcoles/sitecore_scan
37
37
  licenses:
38
38
  - MIT
39
39
  metadata: {}
40
- post_install_message:
40
+ post_install_message:
41
41
  rdoc_options: []
42
42
  require_paths:
43
43
  - lib
@@ -45,15 +45,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
45
45
  requirements:
46
46
  - - ">="
47
47
  - !ruby/object:Gem::Version
48
- version: 2.0.0
48
+ version: 2.5.0
49
49
  required_rubygems_version: !ruby/object:Gem::Requirement
50
50
  requirements:
51
51
  - - ">="
52
52
  - !ruby/object:Gem::Version
53
53
  version: '0'
54
54
  requirements: []
55
- rubygems_version: 3.3.7
56
- signing_key:
55
+ rubygems_version: 3.3.26
56
+ signing_key:
57
57
  specification_version: 4
58
58
  summary: Sitecore scanner
59
59
  test_files: []