Anastasios Stasinopoulos from Obrela LABS team discovered a critical risk vulnerability that affects Kentico CMS, a popular ASP.NET web content management system that is used to build websites, online stores and Web 2.0 community sites.
More specifically, Kentico CMS 5.5 R2 build 5.5.3996 was found vulnerable to SQL injection attacks on a specific parameter, allowing a potential attacker – without requiring authentication – to interact with the backend Microsoft SQL server database.
Successful exploitation of this vulnerability allows unauthorized access/modification/deletion of the stored data in the backend database and if specific conditions are met can be also leveraged to complete compromise of the underlying operating system that hosts Kentico.
The software vendor has been informed by Obrela LABS prior to public disclosure of the vulnerability which was registered afterwards with a CVE record: CVE-2021-27581 .
According to software vendor response it is advised to update Kentico CMS to the latest version that is not vulnerable to this security flaw.
The vulnerability was exploited using the sqlmap tool:
* Sample url: https://target.com/blog?tagname=test&groupid=1
* Vulnerable parameter: tagname
* Type: time-based blind sql injection
* Sample payload: tagname=test’+(SELECT CHAR(118)+CHAR(103)+CHAR(85)+CHAR(89) WHERE 1718=1718 AND 6176=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7))+’&groupid=1
Discovery and public disclosure timeline
- 2021-02-22 – Discovery
- 2021-02-23 – Vendor Contact
- 2021-02-23 – Vendor Triaged Vulnerability
- 2021-02-23 – MITRE Assigned CVE