← Advisories

MODx Revolution CMS 2.0.4-pl2 Remote XSS POST Injection Vulnerability

Medium

Advisory ID

ZSL-2010-4982

Release Date

06 December 2010

Vendor

MODx, LLC. - http://www.modxcms.com

Affected Version

2.0.4-pl2 (public launch 2)

CVE

N/A

Tested On

Fedora 10 (Cambridge), Apache 2.2.14, PHP 5.2.10, MySQL 5.0.88

Summary

MODx Revolution is a powerful PHP Content Management Framework that plays nicely with custom code and helps you build sites faster and maintain them with ease. With Revolution you'll leverage the best things to come around since MVC and Active Record.

Description

The MODx Revolution CMS suffers from a XSS vulnerability when parsing user input to the "username" and "email" parameters via POST method in login.php script at the manager login interface. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

/var/html/www/manager/controllers/default/security/login.php:

  /* handle login */
  if (!empty($_POST['login'])) {
      $validated = true;

      $user = $modx->getObject('modUser',array(
          'username' => $_POST['username'],
      ));

 ...

  } else if (!empty($_POST['forgotlogin'])) {
      $c = $modx->newQuery('modUser');
      $c->select(array('modUser.*','Profile.email','Profile.fullname'));
      $c->innerJoin('modUserProfile','Profile');
      $c->where(array(
          'Profile.email' => $_POST['email'],
      ));

Proof of Concept

modx_xss.htmlTXT

Disclosure Timeline

05.12.2010Vulnerability discovered.

05.12.2010Initial contact with the vendor.

06.12.2010Vendor responds asking more details.

06.12.2010Sent PoC files to the vendor.

06.12.2010Vendor releases patch.

06.12.2010Coordinated public advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References