Kentico Staging API publicly accessible
Description
Kentico CMS is an ASP.NET web content management system that includes a Staging API for synchronizing content and data between development, staging, and production environments.
This vulnerability occurs when the Staging API endpoint is publicly accessible without proper network-level restrictions. While the API requires authentication credentials, exposing it to the internet increases the attack surface and allows unauthorized parties to attempt credential-based attacks against a sensitive administrative interface.
Remediation
Restrict access to the Kentico Staging API to trusted networks only. Implement the following security controls:
1. Configure IP whitelisting - In your web server configuration (IIS), restrict access to the staging service endpoint (typically ~/CMSPages/Staging/SyncServer.asmx) to only known IP addresses of authorized staging servers.
2. Use network-level controls - Place the Staging API behind a firewall or VPN that only allows connections from authorized development and staging environments.
3. Implement strong authentication - Ensure staging credentials use strong, randomly-generated passwords that are regularly rotated.
4. Enable monitoring - Log all access attempts to the Staging API and configure alerts for failed authentication attempts.
Example IIS web.config restriction:
<location path="CMSPages/Staging">
<system.webServer>
<security>
<ipSecurity allowUnlisted="false">
<add ipAddress="192.168.1.100" allowed="true" />
<add ipAddress="10.0.0.50" allowed="true" />
</ipSecurity>
</security>
</system.webServer>
</location>