CVE-2018-19453: Malicious File Upload Vulnerability in Kentico CMS
A advisory of CVE-2018-19453, describing a security vulnerability in Kentico CMS that allows malicious file uploads.
Vulnerability Details
- Affected Vendor: Kentico
- Affected Software: Kentico CMS
- Affected Version: Tested on Version 11.0
- Issue Type: Unrestricted Upload of File with Dangerous Type
- CVE Identifier: CVE-2018-19453
- Release Date: 8/Jan/2019
- Discovered by: Harold, Hivint
- Issue Status: Resolved (Hotfix 11.0.45)
Summary
Kentico CMS, widely used for web content management, was found vulnerable to an unrestricted file upload attack. This vulnerability could enable malicious attackers to upload dangerous file types, potentially leading to Cross-Site Scripting (XSS) and Cross-Origin Resource Sharing (CORS) attacks.
Impact
An attacker is able to attach a file containing malicious JavaScript to the Kentico Forum and have this file stored in the application’s database. When application users request the attached file, the malicious JavaScript code will be executed within their browsers.
Proof of Concept
The exploitation process involves several steps:
-
Create a Malicious File:
- Prepare a
.jpg
file embedded with JavaScript:<html> <script>alert(/xss/);</script> </html>
- Prepare a
-
Upload Process:
- Navigate to the Kentico Forum and start a new thread.
- Fill in the thread details and attach the malicious
.jpg
file. - Intercept the HTTP traffic during the upload and modify the
Content-Type
header fromimage/jpeg
totext/html
.
-
Execution:
- Once uploaded, clicking on the attached file within the forum will trigger the JavaScript, demonstrating the vulnerability.
Solution and Mitigation
In response to this vulnerability, Kentico recommended an immediate security measure:
- Temporary Workaround: Adjust the Forum module’s settings to disallow file attachments by setting the “Attach files” permission to “Nobody.”
- Permanent Fix: Kentico released Hotfix 11.0.45 to address this vulnerability by enforcing stricter validation of file uploads.
Response Timeline
- 18/Nov/2018: Discovery and initial notification to Kentico.
- 27/Nov/2018: Release of Hotfix 11.0.45 to mitigate the vulnerability.