Ektron CMS multiple vulnerabilities

Description

The web application is vulnerable to multiple security vulnerabilities, such as unauthenticated file upload and XML eXternal Entities (XXE) injection.

1. Unauthenticated File Upload:
The form /WorkArea/Upload.aspx does not require authentication to upload a file. By issuing a POST request with a webshell embedded in a JPEG image and specifying the ASPX extension it is possible to upload ASPX code to /uploadedimages/. The ASPX code is placed in the comment section of the JPEG so that it survives image resizing.

2. XXE Injection:
The XML parser at /WorkArea/Blogs/xmlrpc.aspx is vulnerable to XML external entity attacks which can be used to scan behind perimeter firewalls or possibly include files from the local file system e.g.

Remediation

Upgrade to version 8.6 and remove the /WorkArea/Blogs/xmlrpc.aspx file.

References