| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Oct 2013 17:15:33 GMT
From: advisories@...omio.com
To: bugtraq@...urityfocus.com
Subject: [SOJOBO-ADV-13-02] - MODx 2.2.10 Reflected Cross Site Scripting
[SOJOBO-ADV-13-02] - MODx 2.2.10 Reflected Cross Site Scripting
I. * Information *
==================
Name : MODx 2.2.10 Reflected Cross Site Scripting
Software : MODx 2.2.10 and possibly below.
Vendor Homepage : http://modx.com/
Vulnerability Type : Reflected Cross-Site Scripting
Severity : Low (2/5)
Advisory Reference : SOJOBO-ADV-13-02 (http://www.enkomio.com/Advisories)
Credits: Sojobo dev team
Description: A Reflected Cross Site Scripting vulnerability was discovered during the testing of Sojobo, Static Analysis Tool.
II. * Details *
===============
A) Reflected Cross Site Scripting in findcore.php [Impact: 2/5]
In order to exploit this vulnerability the setup folder mustn't be deleted by the administrator during the installation process.
This precondition limit the impact of the vulnerability.
Follow a trace to reach the vulnerable code.
File: \setup\templates\findcore.php
80: <form id="corefinder" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">
The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be manipulated in order to insert valid HTML code.
A test request is: /setup/templates/findcore.php/"><script>alert('XSS');</script>
B) Reflected Cross Site Scripting in xpdo.class.php [Impact: 1/5]
The log functionality of the xpdo class contains a Reflected Cross site scripting via the $_SERVER['PHP_SELF'] entrypoint.
In order to exploit this vulnerability an error must occur during the classManager loading. This precondition limit the impact
of the vulnerability.
Follow a trace to reach the vulnerable code.
File: \core\model\schema\build.modx.php
23: $manager= $xpdo->getManager();
File: \core\xpdo\xpdo.class.php
1848: $this->log(xPDO::LOG_LEVEL_ERROR, "Could not load xPDOManager class.");
..
1995: $this->_log($level, $msg, $target, $def, $file, $line);
..
2020: $file= (isset ($_SERVER['PHP_SELF']) || $target == 'ECHO') ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME'];
..
2032: $file= " @ {$file}";
..
2039: echo '<h5>[' . strftime('%Y-%m-%d %H:%M:%S') . '] (' . $this->_getLogLevel($level) . $def . $file . $line . ')</h5><pre>' . $msg . '</pre>' . "\n";
..
2042: echo '[' . strftime('%Y-%m-%d %H:%M:%S') . '] (' . $this->_getLogLevel($level) . $def . $file . $line . ') ' . $msg . "\n";
The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be manipulated in order to insert valid HTML code.
III. * Report Timeline *
========================
12 October 2013 - First contact (no timeline given)
14 October 2013 - Second contact (no timeline given)
21 October 2013 - Third contact (no response)
22 October 2013 - Advisory released
IV. * About Sojobo *
====================
Sojobo allows you to find security vulnerabilities in your PHP web application source code before others do.
By using the state of the art tecniques Sojobo is able to identify the most critical vulnerabilities in your code
and limit the number of false positives.
Powered by blists - more mailing lists