Dynamic injection or execution of code might vulnerable

Dong Bui asked on June 21, 2022 10:19

Hello Guys,

Our client using Kentico 13 and found some vulnerabilities here by SonarQube scan: • CVE-2017-9807 • CVE-2017-9802

On files: * • CMS/CMSAdminControls/ImageEditor/BaseImageEditor.js * • CMS/CMSAdminControls/SpellChecker/spell.js * • CMS/CMSScripts/CMSModules/AdminControls/MultiFileUploader.js * • CMS/CMSScripts/CMSModules/CMS.Builder/PageBuilder/Messaging.js * • CMS/CMSScripts/CMSModules/CMS/UITabs.js * • CMS/CMSScripts/DragAndDrop/dragiframe.js * • CMS/CMSScripts/mootools.js * • CMS/CMSScripts/tooltip/wz_tooltip.js

https://prnt.sc/diN-8pkX7bGz (screenshot)

Image Text

May be increase the risk of Injected Code. Such attacks can either run on the server or in the client (example: XSS attack) and have a huge impact on an application’s security.

Can I have some advice here for this issue ?

Thanks,

Correct Answer

Juraj Komlosi answered on June 21, 2022 23:08

Hi Dong,

let me explain you the SonarQube finding. SonarQube is a tool used for static code analysis. It looks for potential vulnerable patterns or any other patterns you create. If the code matches the pattern (regex), SonarQube creates an alert. All alerts must be reviewed manually because there is a huge likelihood of false positives.

Your finding - eval(originalScript); is a false positive because the argument of eval function does not contain user input. The script is built on our side without any user inputs.

Few other comments:

  1. The mentioned javascript file is used to cross-origin communication - postMessage API.
  2. Message receiver contains security check if message sender comes from trusted origin.
  3. Message event data contains only predefined constant - no user input.
  4. As it was mentioned the script used as a parameter of the eval() function does not contain user input.
  5. Since it is rendered on the client side, even if there was an untrusted input processed, it would be a client side injection, not a server side injection as Karolann wrote.

To sum it up - there is no vulnerability we are aware of. If you have more details, working PoC, please send us the email to security[at]kentico.com

Thank you.

1 votesVote for this answer Unmark Correct answer

Recent Answers

Dong Bui answered on June 22, 2022 10:41

Thank you Juraj, it make sense to me

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.