Sitecore's RESTful Security Risk

This post has been migrated from www.experimentsincode.com, we apologise if some of the images or content is missing

This post has been migrated, original date 26 Nov 2008. Some of the images are missing. This post applies to Sitecore 5.3. Before I continue this blog I want to make it clear that I contacted Sitecore support about the security risk on the 8th October 2008. They have now updated their installation docs but I am unsure if they have sent a notice to Sitecore partners. Anyway the problem..... I happened to stumble on Sean Kearney's blog about the Sitecore REST API. REST should be used in the loosest sense of the word. This not a proper REST API but it does allow you to pull data contained in item within the Master database. This got me thinking, What are the security implications of this? Firstly a few details about the REST API. The file in question lives at /sitecore/rest.aspx.The problem is that most developers do not even know this files exists. So I looked through SDN5 to see what Sitecore has to say about the file; looking through the post installation steps the Sitecore install does not mention this file at all. A quick search of SDN5 also reveals nothing. So why is this file such a problem? Well it's because it ignores Sitecore's inbuilt security model and retrieves all the data about an item. The best way to explain this is an example. I am using the default site that comes with Xpress site that Sitecore has released (I am only using this site for the demo, this problem does affect other versions of Sitecore). Firstly lets visit a page in the help section, lets say the Administrators section: Missing Image So I can quite happily navigate to this page as you would expect. Now using the REST API supplied by Sitecore I can also access the data in this page: Missing Image The full URL for this request was:

http://localhost/sitecore/rest.aspx?itemPath=/sitecore/content/Help/Administrators&_method=GetItemData

Ok already I haven't done anything and there is already a problem. The REST API has outputted every field in the item, I had no control over the choice of fields to render. This means that any sensitive data I stored in fields I hadn't expected to be rendered are shown to the user. This includes fields that you might denie read access to, the REST API ignore security settings. However lets continue and see what else I can do. Now lets say that for some reason I want users to login to the site to see different parts. Users are logged in as Sitecore Extranet users; I want to be able to use the Sitecore security tools to configure different sections of the site to be restricted to certain extranet users. I decided to restrict the Administrators page, so the first thing to do is stop everyone from gaining access to the page. I do this using the Sitecore Security Editor and denying read access to the Everyone role: Missing Image Ok now lets try and navigate to this page using a normal web browser I get the response that I expect: Missing Image So for most developers who may not know about the REST API, they would be happy (I know I was) however lets now look at what happens if I enter the URL to the REST API I entered before: Missing Image Whats just happened? Well the REST API has completely ignored the security settings we set on the item and returned all the data. This means that my secure content is not secure at all. Now for some you might be thinking "someone would have to guess the URL to the Administrators page to get the content" but this is not true. In Sean Kearney's blog he detail another very useful method value "GetChildInfo". Using this we can easily find the Administrators page. Lets look at the child information for the Administrators page parent using this URL: Missing Image In the returned XML we can see the Administrators page. Using these two methods a hacker can quickly spider the site through the REST API and compare the hierarchy to the public site to see which areas may be protected and should not be publicly visible, the data in these protected areas is then comprimised. Luckily the solution to this problem is simple, remove the rest.aspx file from the "sitecore" directory, without this the REST API won't work. You may find that some of your Sitecore sites don't contain this file, or others when your try to access them throw an error, but for a large proportion of sites this problem still exists.