Home page logo
/

bugtraq logo Bugtraq mailing list archives

[SOJOBO-ADV-13-02] - MODx 2.2.10 Reflected Cross Site Scripting
From: advisories () enkomio com
Date: Tue, 22 Oct 2013 17:15:33 GMT

[SOJOBO-ADV-13-02] - MODx 2.2.10 Reflected Cross Site Scripting

I. * Information *
==================
Name : MODx 2.2.10 Reflected Cross Site Scripting
Software : MODx 2.2.10 and possibly below.
Vendor Homepage : http://modx.com/
Vulnerability Type : Reflected Cross-Site Scripting
Severity : Low (2/5)
Advisory Reference : SOJOBO-ADV-13-02 (http://www.enkomio.com/Advisories)
Credits: Sojobo dev team
Description: A Reflected Cross Site Scripting vulnerability was discovered during the testing of Sojobo, Static 
Analysis Tool.

II. * Details *
===============
A) Reflected Cross Site Scripting in findcore.php [Impact: 2/5]

In order to exploit this vulnerability the setup folder mustn't be deleted by the administrator during the installation 
process.
This precondition limit the impact of the vulnerability.

Follow a trace to reach the vulnerable code.

File: \setup\templates\findcore.php
80: <form id="corefinder" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">

The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be manipulated in order to insert valid HTML 
code.

A test request is: /setup/templates/findcore.php/"><script>alert('XSS');</script>

B) Reflected Cross Site Scripting in xpdo.class.php [Impact: 1/5]

The log functionality of the xpdo class contains a Reflected Cross site scripting via the $_SERVER['PHP_SELF'] 
entrypoint. 
In order to exploit this vulnerability an error must occur during the classManager loading. This precondition limit the 
impact 
of the vulnerability.

Follow a trace to reach the vulnerable code.

File: \core\model\schema\build.modx.php
23: $manager= $xpdo->getManager();

File: \core\xpdo\xpdo.class.php
1848: $this->log(xPDO::LOG_LEVEL_ERROR, "Could not load xPDOManager class.");
..
1995: $this->_log($level, $msg, $target, $def, $file, $line);
..
2020: $file= (isset ($_SERVER['PHP_SELF']) || $target == 'ECHO') ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME'];
..
2032: $file= " @ {$file}";
..
2039: echo '<h5>[' . strftime('%Y-%m-%d %H:%M:%S') . '] (' . $this->_getLogLevel($level) . $def . $file . $line . 
')</h5><pre>' . $msg . '</pre>' . "\n";
..
2042: echo '[' . strftime('%Y-%m-%d %H:%M:%S') . '] (' . $this->_getLogLevel($level) . $def . $file . $line . ') ' . 
$msg . "\n";

The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be manipulated in order to insert valid HTML 
code.

III. * Report Timeline *
========================

12 October 2013 - First contact (no timeline given)
14 October 2013 - Second contact (no timeline given)
21 October 2013 - Third contact (no response)
22 October 2013 - Advisory released

IV. * About Sojobo *
====================
Sojobo allows you to find security vulnerabilities in your PHP web application source code before others do.
By using the state of the art tecniques Sojobo is able to identify the most critical vulnerabilities in your code 
and limit the number of false positives.


  By Date           By Thread  

Current thread:
  • [SOJOBO-ADV-13-02] - MODx 2.2.10 Reflected Cross Site Scripting advisories (Oct 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]