Episerver Login Panel

What is the Episerver Login Panel?

The Episerver Login Panel is a module designed to detect the presence of the Episerver login panel. It targets websites that use the Episerver content management system (CMS). This module is classified as informative, meaning it provides information about the presence of the login panel but does not indicate any vulnerability or misconfiguration.

Author: William Söderberg @ WithSecure

Impact

The Episerver Login Panel module does not have any direct impact on the website or its security. It simply detects the presence of the login panel, providing information to the user or administrator.

How does the module work?

The Episerver Login Panel module works by sending a GET request to the "/episerver/cms" path of the target website. It then applies two matching conditions to determine if the login panel is present:

- The first matching condition uses a regular expression to check if the response URL contains the string "Util.*%2fepiserver%2fcms". This pattern is used to identify the login panel URL. - The second matching condition checks if the response status code is 302, indicating a redirect. This is another indicator of the presence of the login panel.

If both matching conditions are met, the module reports the detection of the Episerver login panel.

Reference: https://docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/changing-edit-and-admin-vi