Knetico 7 security issues

Digital Team asked on May 31, 2016 13:41


We have a website with kentico 7 (latest patch) and the site suffered this weekend an form flooding because the form had no captcha to avoid malicious robot to spam us. The data written in the form was just random data so I though that it was just an attemp of DDoS. I added captcha verification to stop the attack and cleared the junk data from the forms running a SQL query.

But there is something that concerns me; I realized that every X rows, a field contained variations of following text: '..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/windows\/win.ini' Like trying different relative paths to /windows/win.ini file.

New relic supervisor also gave me an error report making me think that there may be an security hole in the kentico forms that could harm our system, the error is the following:

System.IO.FileLoadException: Could not load file or assembly '..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/windows\/win.ini' or one of its dependencies. The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047)

Stack trace at System.Reflection.AssemblyName.nInit(RuntimeAssembly& assembly, Boolean forIntrospection, Boolean raiseResolveEvent) at System.Reflection.RuntimeAssembly.CreateAssemblyName(String assemblyString, Boolean forIntrospection, RuntimeAssembly& assemblyFromResolveEvent) at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean forIntrospection) at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection) at System.Reflection.Assembly.Load(String assemblyString) at AjaxControlToolkit.ToolkitScriptManager.ScriptEntry.LoadAssembly() at AjaxControlToolkit.ToolkitScriptManager.DeserializeScriptEntries(String serializedScriptEntries, Boolean loaded) at AjaxControlToolkit.ToolkitScriptManager.OutputCombinedScriptFile(HttpContext context) at CMS.ExtendedControls.ControlsHelper.ToolkitCombinedScriptHandler(HttpContext context) at CMS.UIControls.PortalPage..ctor() at __ASP.FastObjectFactory_app_web_portaltemplate_aspx_67ab7734_qqxj3jh5.Create_ASP_cmspages_portaltemplate_aspx() at System.Web.Compilation.BuildManager.CreateInstanceFromVirtualPath(VirtualPath virtualPath, Type requiredBaseType, HttpContext context, Boolean allowCrossApp) at System.Web.UI.PageHandlerFactory.GetHandlerHelper(HttpContext context, String requestType, VirtualPath virtualPath, String physicalPath) at System.Web.HttpApplication.MaterializeHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Is there any know security hole we have to be aware of? Is our system secure o do we need to take any further actions?

Thanks in advance.

Recent Answers

Joshua Adams answered on May 31, 2016 16:14

Im not sure if they are still providing support for 7, but it may be worth upgrading to at least 8, and also including a captcha on the forms. Seems like it can be avoided fairly easily, and since they are up to version 9 now, may make sense to just upgrade. I agree that this seems like an issue, but quickest and easiest way to avoid it in the future is upgrading, unless others can chime in with the same issue and their fixes.

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on June 1, 2016 01:02

I'd agree with Josh. An upgrade is the best solution if you're that concerned with security. If you can't upgrade for whatever your excuse is, you might contact Kentico to see what they suggest.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.