14 DAY TRIAL // Two vulnerabilities found in Ektron Content Management System permit a potential attacker to read any files stored on the server without going through the authentication process and to run code of their choice.
Ektron is a CMS platform used by more than 3,800 companies worldwide for the creation of custom enterprise-scale websites, as well as deploying and managing them. It is also suitable for creating site wireframes for global brand consistency.
Recently, Accel-KKR private equity firm acquired EPIServer and Ektron, announcing the merger of the two systems “to create the most complete digital experience platform in the cloud,” which would turn it into a worthy competitor for similar cloud-based solutions provided by Adobe and Sitecore.
XML parsing issue
One of the security flaws, tracked as CVE-2015-0931, is a resource injection type resulting from improper handling of resource identifiers, if poorly configured XML parser is used.
By default, Ektron relies on Microsoft XML parser for the XSLT documents and it is not vulnerable, says an advisory from the CERT (Community Emergency Response Team) at the Carnegie Mellon University.
However, if a different parser is specified by an attacker, such as Saxon XSLT, a malicious document could be sent in order to gain the possibility to execute arbitrary code with the privileges assigned to the application.
The second glitch (CVE-2015-0923) is present in the “/Workarea/ServerControlWS.asmx” web service. When the “ContentBlockEx” method is used with the “xslt” parameter, there is the risk of an unauthenticated individual to be able to read arbitrary information.
By exploiting this flaw, a threat actor could run a reconnaissance operation on a target in order to find ways to penetrate the company network at deeper levels.
Risk mitigation steps have not been provided
Both security issues affect versions 8.5, 8.7, and 9.1 of the CMS and could be exploited remotely; CERT says that at the moment it is not aware of a practical solution that could mitigate the risks.
They have been discovered by Matthias Kaiser, the head of the vulnerability research department at Code White GmbH in Germany.
In January, Kaiser found a remotely exploitable security problem in iPass Open Mobile Windows Client.
iPass offers Internet connection services (including in-flight connectivity) across the globe through a network of WiFi hotspots.