Advisory: Upload Malicious File in Kentico CMS (CVE-2018–19453)
Upload Malicious File in Kentico CMS
====================
Affected Vendor: Kentico — https://www.kentico.com
Affected Software: Kentico CMS
Affected Version: Tested on 11.0
Issue type: Unrestricted Upload of File with Dangerous Type
Release Date: 08/01/2019
Discovered by: Harold Zang, Hivint
CVE Identifier: CVE-2018–19453
Issue status: Fixed (Hotfix 11.0.45)
Summary
======
Kentico CMS is a popular ASP.NET Content Management System (CMS) commonly used for building web-based sites and online stores, with multisite and E-commerce functionality.
Description
=======
Kentico CMS is vulnerable to an unrestricted file upload attack. It is possible for a malicious attacker to upload dangerous file types to perform attacks such as Cross-Site Scripting (XSS) and Cross-Origin Resource Sharing (CORS) attacks.
Impact
=====
An attacker is able to attach a file containing malicious JavaScript to the Kentico Forum and have this file stored in the application’s database. When application users request the attached file, the malicious JavaScript code will be executed within their browsers.
Proof of concept
=========
1. Create a sample malicious file with the file extension “.jpg” containing the following JavaScript:
<html>
<script>alert(/xss/);</script>
</html>
2. Navigate to the Kentico Forum
3. Then, click “New thread”
4. In the New thread, fill in the form, and select “Attach file(s)” and post the form.
6. Upload the sample file above as an attachment.
7. Intercept the traffic and change the “Content-Type:” HTTP header from “Content-Type: image/jpeg” to “Content-Type: text/html”.
8. Click on the attached file in the thread and observe the the JavaScript being executed.
Solution
=====
An immediate workaround, Kentico has recommended to set the “Attach files” permission to “Nobody” in the Forum’s security settings. The vendor has also released a Hotfix(11.0.45).
Response timeline
==========
18/11/2018 — Found the issue.
18/11/2018 — Vendor notified.
27/11/2018 — Patch available for 11.0 (Hotfix 11.0.45)
