Security Advisory: Persistent XSS via Avatar Upload in Kentico CMS (CVE-2021-43991)
Security Alerts / Posted September 17, 2021
The Kentico Xperience CMS version 13.0 – 13.0.43 is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS).
Persistent XSS vulnerabilities occur when the application stores and retrieves client supplied data without proper handling of dangerous content. This type of XSS vulnerability is exploited by submitting malicious script content to the application which is then retrieved and executed by other application users.
The attacker could exploit this to conduct a range of attacks against users of the affected application such as session hijacking, account take over and accessing sensitive data.
You can read more about XSS here:
For this example, the Dancing Goat sample application that ships with the Kentico Xperience platform trial is used. However, the vulnerability affects many real world Kentico deployments as observed by the AppCheck research team. A proof of concept example was provided to Kentico using one of their public facing applications.
The vulnerability occurs due to the way Avatar images files are stored and retrieved.
Registered users across a range of Kentico powered applications can upload image files to customise the avatar associated with their profile. The uploaded file extension is validated against a list of known good image file types before being accepted. The uploaded image file is then retrieved using a separate endpoint in order to be displayed within the application.
The following application behavior creates an exploitable condition:
a) It is possible to upload a file and set the file Content-Type (mime-type) to any value as long as it beings with “image/”. The supplied Content-Type value is stored and returned within the Content-Type header when the file is downloaded. Although the “svg” extension is not permitted, any permitted extension can be used along with a file content-type value of image/svg+xml in order to exploit this flaw.
b) When accessing the uploaded file directly using its rendering URL, the “Content-Type” and file content used in the upload are returned unchanged. Therefore, it is possible to present any image file type to the browser including SVG.
c) A “Content-Disposition” header is returned when rendering the image, however it is set to “inline” indicating it can be displayed inside the Web page, or as the Web page.
Recreating the vulnerability
Note: To recreate this issue, you will need an intercepting proxy such as Fiddler that is able to replay and modify the image upload (or alternate method of manipulating the content-type value within the multipart boundary as shown).
Step 1: Upload the XSS image payload
First create a file with a .jpg extension with the following content;
Authenticate to the target application and upload the file as your avatar image. Identify the upload request and resend it, this time changing the “Content-Type” within the body (not the http headers) to “image/svg+xml”. The following request was used in our environment:
Step 2: Render the image to execute the payload
Once the image file is uploaded, identify the <img> src attribute URL being used to load and display the image to the user. In our lab environment the URL can be found in the following HTML element:
<div class="dropdown-desktop"> <img src="/Kentico13_1_DancingGoatMvc/getavatar/f5cf51ae-7206-4514-a191-e48bcec6fec1/avatar.jpg" class="dropdown-desktop-avatar" alt="avatar" />
Note that the file segment or the URL can be changed from avatar.jpg to any value. Accessing the URL will demonstrate the issue.
Screen Shot: Executing alert(document.cookie)
Screen Shot: Proof-of-Concept provided to Kentico.
AppCheck would like to thank Kentico Software for their speedy response and ease to work with during this process.
Check out their latest hotfixes here: https://devnet.kentico.com/download/hotfixes
09/09/2021 – Email report sent to Kentico
13/09/2021 – Report acknowledged
17/09/2021 – Hotfix Released
21/09/2021 – AppCheck advisory published.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure.
As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please get in contact with us: firstname.lastname@example.org
Get started with Appcheck
No software to download or install.
Contact us or call us 0113 887 8380