| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <55D2F885.10500@curesec.com>
Date: Tue, 18 Aug 2015 11:19:01 +0200
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] ModX Revolution 2.3.5 - Reflected XSS
ModX Revolution 2.3.5-pl: Reflected Cross Site Scripting Vulnerability
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: ModX Revolution 2.3.5-pl
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: hello@...x.com
Vulnerability Type: Reflected XSS
Remote Exploitable: Yes
Reported to vendor: 07/14/2015
Disclosed to public: 08/17/2015
Release mode: Full disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
ModX Revolution 2.3.5-pl is vulnerable to reflected cross site
scripting. With this, it is possible to inject and execute arbitrary
JavaScript code. This can for example be used by an attacker to inject a
JavaScript keylogger, bypass CSRF protection, or perform phishing attacks.
The attack can be exploited by getting the victim to click a link or
visit an attacker controlled website.
3. Proof of Concept
The injection takes place into the file GET argument, which is echoed
inside script tags.
http://localhost/modx-2.3.5-pl/manager/?a=system/file/edit&file=xsstest",record:
{"name":"","basename":"","path":"","size":false,"last_accessed":"Jan 01,
1970 01:00:00 AM","last_modified":"Jan 01, 1970 01:00:00
AM","content":false,"image":false,"is_writable":false,"is_readable":false,"source":1},canSave:
0});});alert(1); </script>&wctx=mgr&source=1
4. Code
manager/controllers/default/system/file/edit.class.php:28
public function loadCustomCssJs() {
$this->addJavascript($this->modx->getOption('manager_url').'assets/modext/sections/system/file/edit.js');
$this->addHtml('<script
type="text/javascript">Ext.onReady(function() {
MODx.load({
xtype: "modx-page-file-edit"
,file: "'.$this->filename.'"
,record: '.$this->modx->toJSON($this->fileRecord).'
,canSave: '.($this->canSave ? 1 : 0).'
});
});</script>');
}
5. Solution
This issue was not fixed by the vendor.
5. Report Timeline
07/14/2015 Informed Vendor about Issue (no reply)
08/13/2015 Contacted Vendor again (no reply)
08/17/2015 Disclosed to public
6. Blog Reference:
http://blog.curesec.com/article/blog/ModX-Revolution-235-pl-Reflected-Cross-Site-Scripting-Vulnerability-43.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists