Ektron CMS multiple vulnerabilities

Description
  • The web application is vulnerable to multiple security vulnerabilities, such as unauthenticated file upload and XML eXternal Entities (XXE) injection.

    1. Unauthenticated File Upload:
    The form /WorkArea/Upload.aspx does not require authentication to upload a file. By issuing a POST request with a webshell embedded in a JPEG image and specifying the ASPX extension it is possible to upload ASPX code to /uploadedimages/. The ASPX code is placed in the comment section of the JPEG so that it survives image resizing.

    2. XXE Injection:
    The XML parser at /WorkArea/Blogs/xmlrpc.aspx is vulnerable to XML external entity attacks which can be used to scan behind perimeter firewalls or possibly include files from the local file system e.g.
Remediation
  • Upgrade to version 8.6 and remove the /WorkArea/Blogs/xmlrpc.aspx file.
References