Kentico Xperience Authentication Bypass Vulnerability in Staging Sync Server

A vulnerability allowing authentication bypass has been identified in Kentico Xperience versions through 13.0.172. This issue arises from the Staging Sync Server's handling of empty SHA1 usernames in digest authentication, which can be exploited to gain unauthorized access to administrative objects. The vulnerability requires the Staging Service to be enabled with username/password authentication.

Impact

Exploitation of this vulnerability allows an attacker to bypass authentication and gain administrative access via the Staging Sync Server API, potentially leading to unauthorized control over administrative objects.

Reproduction

The vulnerability can be reproduced by sending a SOAP request to the Staging Sync Server endpoint with an empty password in the authentication header. This can be achieved by providing an invalid username, which triggers the server to return an empty password. The request can then be sent with the 'PasswordDigest' option, using a hash of an empty string to bypass authentication.

Remediation

Users can upgrade to Kentico Xperience version 13.0.178 or later, where this vulnerability has been patched.