MODx index.php id Variable Traversal Arbitrary File Access

2006-04-14T03:02:40
ID OSVDB:24698
Type osvdb
Reporter OSVDB
Modified 2006-04-14T03:02:40

Description

Vulnerability Description

MODx contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the index.php script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'id' variable. Additionally, this can be used to disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Short Description

MODx contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the index.php script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'id' variable. Additionally, this can be used to disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Manual Testing Notes

http://[target]/modx/index.php?id=1/../../../../../../../etc/passwd%00

References:

Vendor URL: http://modxcms.com/ Vendor Specific News/Changelog Entry: http://modxcms.com/forums/index.php/topic,3982.0.html Secunia Advisory ID:19645 Related OSVDB ID: 24697 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-04/0276.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-04/0325.html FrSIRT Advisory: ADV-2006-1383 CVE-2006-1821 Bugtraq ID: 17533