Kentico CMS User Disclosure Vulnerability

A good friend of mine, @charliecampbell, discovered a Kentico CMS user disclosure vulnerability during a recent web application assessment. It turns out that the default configurations of the CMS do not properly restrict access to sensitive directories. The vendor has been contacted and a patch has been promised. The vulnerability results in the disclosure of all user accounts on the CMS. All users of the Kentico CMS are encouraged to implement the patch and ensure that all sensitive directories are properly restricted.

The vulnerability is the result of direct URL browsing to the following page: /CMSModules/Messaging/CMSPages/PublicMessageUserSelector.aspx

@penetrat0r

The penetrat0r

A guide to penetration testing

Kentico CMS User Disclosure Vulnerability

Recent Posts

Archives

Android

Blogroll

Cheat Sheets

InfoSec News

Learning and Training

Pentesting Blogs

SSH Tunneling

The Hacker News