SQL injection bug could allow an unauthenticated attacker to tamper with databases
UPDATED The developers of the Kentico CMS have patched a critical vulnerability that could be exploited to compromise backend databases.
The vulnerability was disclosed by Obrela Labs penetration tester Anastasios Stasinopoulos on March 8.
Kentico CMS is an ASP.NET content management system (CMS) for enterprise websites, e-commerce, and both intranet and extranet domains.
The CMS comes with features (PDF) including built-in modules, text editing, blogs, and polls, and is used on over 4,000 websites in 83 countries.
The vulnerability, tracked as CVE-2021-27581, was found in the 5.5 R2 5.5.3996 build of the CMS.
SQL injection flaw
The issue resides in the blog functionality module of Kentico CMS, which permits SQL injection attacks to occur via the tagname parameter, such as -- target.com/blog?tagname=injectable.
According to Obrela Labs, the CMS security flaw “allowed a potential attacker – without requiring authentication – to interact with the backend Microsoft SQL server database”.
Speaking to the The Daily Swig, Stasinopoulos said that “it seems that the root cause is improper sanitization within portal engine components, which is typical for this type of security flaw”.
The researchers say that if successfully exploited, attackers could not only access data stored in a backend database, but could also tamper with or delete information outright.
In addition, as long as “specific parameters” are met, the vulnerability could lead to the “complete compromise of the underlying operating system that hosts Kentico”.
Stasinopoulos said that these conditions could include elevated privileges in a user account able to connect to the backend database, stacked queries being permissible on the vulnerable parameter, or the xp_cmdshell stored procedure being enabled, either by default or by an attacker.
Obrela Labs disclosed the existence of the vulnerability privately to the CMS developer on Februrary 23 – a day after discovery and prior to public disclosure.
A sample payload has been made available on GitHub.
It is advised that Kentico CMS users update their builds as quickly as possible to the latest 6.0 version which includes a security fix.
A spokesperson for Kentico told The Daily Swig that this vulnerability was already patched in 2011 in version 5.5R2.13. We have reached out to Stasinopoulos and will update the article when we hear back.
YOU MIGHT ALSO LIKE Researchers uncover hidden flaws in Apple’s offline ‘find my device’ feature