Ektron CMS XslCompiledTransform Class Request Parsing Remote Code Execution

critical Nessus Plugin ID 63245

Synopsis

The remote web server hosts a web application that is affected by a remote code execution vulnerability.

Description

The version of Ektron CMS hosted on the remote web server is affected by a remote code execution vulnerability. The vulnerability arises because the 'ekajaxtransform.aspx' script utilizes the .NET 'XslCompiledTransform' class with 'enablescript' set to true.

Nessus was able to execute this vulnerability via a specially crafted POST request to run arbitrary C# code on the remote host.

Note that the version of Ektron installed on the remote host likely has other vulnerabilities that Nessus has not tested for.

Solution

Upgrade to Ektron CMS version 8.02 Service Pack 5 or higher.

See Also

http://www.nessus.org/u?0cbc8f4d

http://www.nessus.org/u?14d036a5

http://www.nessus.org/u?97c6891b

Plugin Details

Severity: Critical

ID: 63245

File Name: ektron_cms400_transformxslt_code_exec.nasl

Version: 1.13

Type: remote

Family: CGI abuses

Published: 12/12/2012

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2012-5357

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ektron:cms4000.net

Required KB Items: www/ASP, www/cms400

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 10/26/2012

Vulnerability Publication Date: 10/25/2012

Exploitable With

Metasploit (Ektron 8.02 XSLT Transform Remote Code Execution)

Reference Information

CVE: CVE-2012-5357

BID: 56816

MSVR: MSVR12-016