| Release Date. | 05-Sep-2012 |
| Last Update. | – |
| Vendor Notification Date. | 07-May-2012 |
| Product. | Ektron CMS |
| Platform. | ASP.NET |
| Affected versions. | Ektron CMS version 8.5.0 and possibly others |
| Severity Rating. | High |
| Impact. | Exposure of sensitive information |
| Exposure of system information | |
| System Access | |
| Attack Vector. | Remote with authentication |
| Solution Status. | Fixed in version 8.6 (not verified by SOS) |
| CVE reference. | CVE- Not yet assigned |
Details.
The web application is vulnerable to multiple security vulnerabilities, such as Unauthenticated File Upload and XML eXternal Entities (XXE) injection.
1.Unauthenticated File Upload:
The form /WorkArea/Upload.aspx does not require authentication to upload a file. By issuing a POST request with a webshell embedded in a JPEG image and specifying the ASPX extension it is
possible to upload ASPX code to /uploadedimages/. The ASPX code is placed in the comment section of the JPEG so that it survives image resizing.
2.XXE Injection:
The XML parser at /WorkArea/Blogs/xmlrpc.aspx is vulnerable to XML external entity attacks which can be used to Scan behind perimeter firewalls or possibly include files from the local file
system e.g.
<!DOCTYPE scan [<!ENTITY test SYSTEM "http://localhost:22">]>
<scan>&test;</scan>
Solution.
Upgrade to version 8.6 and remove the /WorkArea/Blogs/xmlrpc.aspx file.
Discovered by.
Phil Taylor and Nadeem Salim from Sense of Security Labs.