Ektron CMS multiple vulnerabilities
Description
Ektron CMS contains two critical vulnerabilities that can be exploited without authentication. The first vulnerability allows attackers to upload arbitrary files through the /WorkArea/Upload.aspx endpoint, which lacks proper authentication controls. Attackers can embed malicious ASPX code within JPEG image comments to bypass file type restrictions and upload executable web shells to the /uploadedimages/ directory. The second vulnerability is an XML External Entity (XXE) injection flaw in the /WorkArea/Blogs/xmlrpc.aspx XML parser, which can be exploited to perform server-side request forgery (SSRF) attacks, scan internal network resources behind firewalls, or read sensitive files from the local file system.
Remediation
Take the following steps to remediate these vulnerabilities:
1. Upgrade Ektron CMS: Immediately upgrade to version 8.6 or later, which addresses both vulnerabilities.
2. Remove Vulnerable Endpoint: Delete the /WorkArea/Blogs/xmlrpc.aspx file from the server if it is not required for business operations.
3. Implement Authentication Controls: If upgrading is not immediately possible, restrict access to /WorkArea/Upload.aspx and /WorkArea/Blogs/xmlrpc.aspx by implementing authentication and authorization checks. Configure web server rules (IIS URL Rewrite or web.config) to block unauthenticated access to these endpoints.
4. Scan for Compromise: Review /uploadedimages/ directory and server logs for suspicious files uploaded before remediation. Look for ASPX files with unusual names or recent modification dates.
5. Apply Defense-in-Depth: Implement file upload restrictions including file type validation, content inspection, and storing uploaded files outside the web root with restricted execution permissions.