Upload Malicious File in Kentico CMS
Affected Vendor: Kentico – https://www.kentico.com
Affected Software: Kentico CMS
Affected Version: Tested on 11.0
Issue type: Unrestricted Upload of File with Dangerous Type
Release Date: 08/01/2019
Discovered by: Harold, Hivint
CVE Identifier: CVE-2018-19453
Issue status: Fixed (Hotfix 11.0.45)
Kentico CMS is a popular ASP.NET Content Management System (CMS) commonly used for building web-based sites and online stores, with multisite and E-commerce functionality.
Kentico CMS is vulnerable to an unrestricted file upload attack. It is possible for a malicious attacker to upload dangerous file types to perform attacks such as Cross-Site Scripting (XSS) and Cross-Origin Resource Sharing (CORS) attacks.
Proof of concept
<html> <script>alert(/xss/);</script> </html>
2.Navigate to the Kentico Forum
3.Then, click “New thread”
4.In the New thread, fill in the form, and select “Attach file(s)” and post the form.
5.Upload the sample file above as an attachment.
6.Intercept the traffic and change the “Content-Type:” HTTP header from “Content-Type: image/jpeg” to “Content-Type: text/html”.
An immediate workaround, Kentico has recommended to set the “Attach files” permission to “Nobody” in the Forum’s security settings. The vendor has also released a Hotfix(11.0.45).
18/11/2018 – Found the issue.
18/11/2018 – Vendor notified.
27/11/2018 – Patch available for 11.0 (Hotfix 11.0.45)