Hello,
We have a website with kentico 7 (latest patch) and the site suffered this weekend an form flooding because the form had no captcha to avoid malicious robot to spam us. The data written in the form was just random data so I though that it was just an attemp of DDoS. I added captcha verification to stop the attack and cleared the junk data from the forms running a SQL query.
But there is something that concerns me; I realized that every X rows, a field contained variations of following text: '..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/windows\/win.ini'
Like trying different relative paths to /windows/win.ini file.
New relic supervisor also gave me an error report making me think that there may be an security hole in the kentico forms that could harm our system, the error is the following:
System.IO.FileLoadException: Could not load file or assembly '..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/windows\/win.ini' or one of its dependencies. The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047)
Stack trace
at System.Reflection.AssemblyName.nInit(RuntimeAssembly& assembly, Boolean forIntrospection, Boolean raiseResolveEvent)
at System.Reflection.RuntimeAssembly.CreateAssemblyName(String assemblyString, Boolean forIntrospection, RuntimeAssembly& assemblyFromResolveEvent)
at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, IntPtr pPrivHostBinder, Boolean forIntrospection)
at System.Reflection.RuntimeAssembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection)
at System.Reflection.Assembly.Load(String assemblyString)
at AjaxControlToolkit.ToolkitScriptManager.ScriptEntry.LoadAssembly()
at AjaxControlToolkit.ToolkitScriptManager.DeserializeScriptEntries(String serializedScriptEntries, Boolean loaded)
at AjaxControlToolkit.ToolkitScriptManager.OutputCombinedScriptFile(HttpContext context)
at CMS.ExtendedControls.ControlsHelper.ToolkitCombinedScriptHandler(HttpContext context)
at CMS.UIControls.PortalPage..ctor()
at __ASP.FastObjectFactory_app_web_portaltemplate_aspx_67ab7734_qqxj3jh5.Create_ASP_cmspages_portaltemplate_aspx()
at System.Web.Compilation.BuildManager.CreateInstanceFromVirtualPath(VirtualPath virtualPath, Type requiredBaseType, HttpContext context, Boolean allowCrossApp)
at System.Web.UI.PageHandlerFactory.GetHandlerHelper(HttpContext context, String requestType, VirtualPath virtualPath, String physicalPath)
at System.Web.HttpApplication.MaterializeHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Is there any know security hole we have to be aware of? Is our system secure o do we need to take any further actions?
Thanks in advance.