MODx CMS 2.2.14 - Cross-Site Request Forgery Bypass / Reflected Cross-Site Scripting / Persistent Cross-Site Scripting

EDB-ID:

35159

CVE:

2014-8775 2014-8774 2014-8773

EDB Verified:

Author:

Narendra Bhati

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2014-11-05

Vulnerable App: 
Advisory ID: 92152
Product: MODX Revolution
Vendor: MODX
Vulnerable Version(s):  2.0.0–2.2.14
Tested Version: 2.2.14
Advisory Publication:  16 July, 2014  [without technical details]
Vendor Notification: 16 July, 2014 
Vendor Patch: 15 July, 2014 
Public Disclosure: 2 November , 2014 
Vulnerability Type: CSRF Tokens Bypass + Reflected Cross Site Scripting + Stored XSS
CVE Reference: Requested
Risk Level: Critical
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
Patch - Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions

Reported By  - Narendra Bhati ( R00t Sh3ll)
Security Analyst  @ Suma Soft Pvt. Ltd. , Pune ( India )IT Risk & Security Management Services , Pune ( India)
Facebook - https://facebook.com/narendradewsoft
twitter - https://www.twitter.com/NarendraBhatiNB
Blog - http://hacktivity.websecgeeks.com
Email - bhati.contact@gmail.com

-----------------------------------------------------------------------------------------------

Advisory Details:

Narendra Bhati discovered vulnerability in MODX Revolution, which can be exploited to perform Cross-Site Scripting (XSS) attacks & Along With Bypassing CSRF Tokens Protection ,Its allow an attacker to perform A CSRF Attack alosing With XSS to take over victim account by changin promary email address , Sending forged request Etc , Tricking an admin to attack on their own users by sending specially crafter malicous payload as CSRF Attack


1) Cross Site Request Forgery Protection (CSRF) Tokens Bypassing in Modx Revolution

The vulnerability exists due to insufficient validation of csrftokens ["HTTP_MODHAUTH] at server side which allow an attacker to Perform CSRF Attack by bypassing CSRF Protection Mechanism To take over victim account , Trick him to send malicious request Etc. 


------------------------------------------------------------------------------------
2) Reflected Cross-Site Scripting (XSS) in MODX Revolution

The vulnerability exists due to insufficient sanitization of input data passed via the "context_key" HTTP GET parameter to "http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key=" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
This vulnerability can be used against website administrator to perform phishing attacks, steal potentially sensitive data and gain complete control over web application.

The exploitation example below uses the ""></script><img src=x onerror=prompt(/XSS/)>" JavaScript function to display "/XSS/" word:

Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key="></script><img src=x onerror=prompt(/XSS/)>

Vulnerable Parameter - "context_key"

XSS Payload - "></script><img src=x onerror=prompt(/XSS/)>

"></script><img src=x onerror=prompt(document.cookie)>

-----------------------------------------------------------------------------------------------

3) Stored Cross-Site Scripting (XSS) in MODX Revolution

The vulnerability exists due to insufficient sanitization of input data passed via the "context" HTTP POST parameter to " http://127.0.0.1/day/modx/manager/index.php?id=1" URL. A local attacker [Authenticated User] can  execute arbitrary HTML and script code in browser in context of the vulnerable website.
This vulnerability can be used against website visitors to perform phishing attacks, steal potentially sensitive data and gain complete control over web application.

The exploitation example below uses the "<script>alert(1)</script>" JavaScript function to display "1" word:

Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?id=1

Vulnerable Parameter - "context"

XSS Payload - <script>alert(1)</script>

Note - This Stored XSS Was more critical because there was a CSRF protection vulnerability also , which allow an attacker to trick an administrator To Send Unwated Request for Stored XSS , which will directly attack to the Visitors ,


-----------------------------------------------------------------------------------------------
Solution:

Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions
More Information:
Public Advisory By Vendor :- http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior
Public Disclosure With Tecnical Details - http://hacktivity.websecgeeks.com/modx-csrf-and-xss/
-----------------------------------------------------------------------------------------------
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services