In this Section

Sense of Security – Security Advisory – SOS-12-009 – Ektron CMS Multiple Vulnerabilities

pdf_symbol

 

Release Date. 05-Sep-2012
Last Update.
Vendor Notification Date. 07-May-2012
Product. Ektron CMS
Platform. ASP.NET
Affected versions. Ektron CMS version 8.5.0 and possibly others
Severity Rating. High
Impact. Exposure of sensitive information
  Exposure of system information
  System Access
Attack Vector. Remote with authentication
Solution Status. Fixed in version 8.6 (not verified by SOS)
CVE reference. CVE- Not yet assigned

 

Details.

The web application is vulnerable to multiple security vulnerabilities, such as Unauthenticated File Upload and XML eXternal Entities (XXE) injection.

 

1.Unauthenticated File Upload:

The form /WorkArea/Upload.aspx does not require authentication to upload a file. By issuing a POST request with a webshell embedded in a JPEG image and specifying the ASPX extension it is

possible to upload ASPX code to /uploadedimages/. The ASPX code is placed in the comment section of the JPEG so that it survives image resizing.

 

2.XXE Injection:

The XML parser at /WorkArea/Blogs/xmlrpc.aspx is vulnerable to XML external entity attacks which can be used to Scan behind perimeter firewalls or possibly include files from the local file

system e.g.

<!DOCTYPE scan [<!ENTITY test SYSTEM &quot;http://localhost:22&quot;>]>

<scan>&amp;test;</scan>

 

Solution.

Upgrade to version 8.6 and remove the /WorkArea/Blogs/xmlrpc.aspx file.

 

Discovered by.

Phil Taylor and Nadeem Salim from Sense of Security Labs.