CVE-2018-19453: Malicious File Upload Vulnerability in Kentico CMS

A advisory of CVE-2018-19453, describing a security vulnerability in Kentico CMS that allows malicious file uploads.

  • Affected Vendor: Kentico
  • Affected Software: Kentico CMS
  • Affected Version: Tested on Version 11.0
  • Issue Type: Unrestricted Upload of File with Dangerous Type
  • CVE Identifier: CVE-2018-19453
  • Release Date: 8/Jan/2019
  • Discovered by: Harold, Hivint
  • Issue Status: Resolved (Hotfix 11.0.45)

Kentico CMS, widely used for web content management, was found vulnerable to an unrestricted file upload attack. This vulnerability could enable malicious attackers to upload dangerous file types, potentially leading to Cross-Site Scripting (XSS) and Cross-Origin Resource Sharing (CORS) attacks.

An attacker is able to attach a file containing malicious JavaScript to the Kentico Forum and have this file stored in the application’s database. When application users request the attached file, the malicious JavaScript code will be executed within their browsers.

The exploitation process involves several steps:

  1. Create a Malicious File:

    • Prepare a .jpg file embedded with JavaScript:
  2. Upload Process:

    • Navigate to the Kentico Forum and start a new thread.
    • Fill in the thread details and attach the malicious .jpg file.
    • Intercept the HTTP traffic during the upload and modify the Content-Type header from image/jpeg to text/html.
  3. Execution:

    • Once uploaded, clicking on the attached file within the forum will trigger the JavaScript, demonstrating the vulnerability.

In response to this vulnerability, Kentico recommended an immediate security measure:

  • Temporary Workaround: Adjust the Forum module’s settings to disallow file attachments by setting the “Attach files” permission to “Nobody.”
  • Permanent Fix: Kentico released Hotfix 11.0.45 to address this vulnerability by enforcing stricter validation of file uploads.
  • 18/Nov/2018: Discovery and initial notification to Kentico.
  • 27/Nov/2018: Release of Hotfix 11.0.45 to mitigate the vulnerability.