[SOJOBO-ADV-13-02] - MODx 2.2.10 Reflected Cross Site Scripting
I. * Information *
==================
Name : MODx 2.2.10 Reflected Cross Site Scripting
Software : MODx 2.2.10 and possibly below.
Vendor Homepage : http://modx.com/
Vulnerability Type : Reflected Cross-Site Scripting
Severity : Low (2/5)
Advisory Reference : SOJOBO-ADV-13-02 (http://www.enkomio.com/Advisories)
Credits: Sojobo dev team
Description: A Reflected Cross Site Scripting vulnerability was discovered
during the testing of Sojobo, Static Analysis Tool.
II. * Details *
===============
A) Reflected Cross Site Scripting in findcore.php [Impact: 2/5]
In order to exploit this vulnerability the setup folder mustn't be deleted by
the administrator during the installation process.
This precondition limit the impact of the vulnerability.
Follow a trace to reach the vulnerable code.
File: \setup\templates\findcore.php
80: <form id="corefinder" action="<?php echo $_SERVER['PHP_SELF'] ?>"
method="post">
The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be
manipulated in order to insert valid HTML code.
A test request is:
/setup/templates/findcore.php/"><script>alert('XSS');</script>
B) Reflected Cross Site Scripting in xpdo.class.php [Impact: 1/5]
The log functionality of the xpdo class contains a Reflected Cross site
scripting via the $_SERVER['PHP_SELF'] entrypoint.
In order to exploit this vulnerability an error must occur during the
classManager loading. This precondition limit the impact
of the vulnerability.
Follow a trace to reach the vulnerable code.
File: \core\model\schema\build.modx.php
23: $manager= $xpdo->getManager();
File: \core\xpdo\xpdo.class.php
1848: $this->log(xPDO::LOG_LEVEL_ERROR, "Could not load xPDOManager class.");
..
1995: $this->_log($level, $msg, $target, $def, $file, $line);
..
2020: $file= (isset ($_SERVER['PHP_SELF']) || $target == 'ECHO') ?
$_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME'];
..
2032: $file= " @ {$file}";
..
2039: echo '<h5>[' . strftime('%Y-%m-%d %H:%M:%S') . '] (' .
$this->_getLogLevel($level) . $def . $file . $line . ')</h5><pre>' . $msg .
'</pre>' . "\n";
..
2042: echo '[' . strftime('%Y-%m-%d %H:%M:%S') . '] (' .
$this->_getLogLevel($level) . $def . $file . $line . ') ' . $msg . "\n";
The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be
manipulated in order to insert valid HTML code.
III. * Report Timeline *
========================
12 October 2013 - First contact (no timeline given)
14 October 2013 - Second contact (no timeline given)
21 October 2013 - Third contact (no response)
22 October 2013 - Advisory released
IV. * About Sojobo *
====================
Sojobo allows you to find security vulnerabilities in your PHP web application
source code before others do.
By using the state of the art tecniques Sojobo is able to identify the most
critical vulnerabilities in your code
and limit the number of false positives.
