Modx XSS And CSRF Bypass "CVE-2014-8773 , CVE-2014-8774 , CVE-2014-8775"

Modx XSS And CSRF Bypass

Hello all Bro`s :) ;) , Leets and learners , Hope you all are well and enjoying your bounties as well as ;)

Today we will see how i got Modx XSS And CSRF Bypass ( Modx CSRF + XSS = A Perfect Disaster  ) ;)

Attacker Scenario Is Inspired From Symantec CSRF

So What Is Modx

MODX is the web content management system (CMS) that gives you complete control over your site and content, with the flexibility and scalability



Popularity Of Modx

Modx comes in top 10 CMS According to user reviews - Checked out here 

Looks Cool :) ;)

========================================================================



Now lets come to the findings

There were 3  Vulnerabilities which are - 1 - Reflected XSS , 2. Stored XSS , 3. CSRF :) ;) Oopps Sorry That Is CSRF  Bypass ;)

While i found a Reflected XSS which was exploitable by remotely and admin session hijacking is also possible because there were Cookies are not set with Http Only Flag

POC

POC Video

;)

That is ok :( but i was looking for something more interesting  ;)

I played for sometimes here and there for something kickass ;) , and i got A Stored XSS ;) in his add post page you can see below

But that is only self exploitable :( , Only admin can perform this attack now what to do ? i was feeling like , Hey bring me one more drink ;)

Technical Details For Reflected & Stored XSS

=====================================

1) Reflected Cross-Site Scripting (XSS) in MODX Revolution

The vulnerability exists due to insufficient sanitization of input data passed via the "context_key" HTTP GET parameter to "http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key=" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

This vulnerability can be used against website administrator to perform phishing attacks, steal potentially sensitive data and gain complete control over web application.

The exploitation example below uses the ""></script><img src=x onerror=prompt(/XSS/)>" JavaScript function to display "/XSS/" word:

Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key="></script><img src=x onerror=prompt(/XSS/)>

Vulnerable Parameter - "context_key"

XSS Payload - "></script><img src=x onerror=prompt(/XSS/)>

"></script><img src=x onerror=prompt(document.cookie)>

-----------------------------------------------------------------------------------------------

2) Stored Cross-Site Scripting (XSS) in MODX Revolution

The vulnerability exists due to insufficient sanitization of input data passed via the "context" HTTP POST parameter to " http://127.0.0.1/day/modx/manager/index.php?id=1" URL. A local attacker [Authenticated User] can  execute arbitrary HTML and script code in browser in context of the vulnerable website.

This vulnerability can be used against website visitors to perform phishing attacks, steal potentially sensitive data and gain complete control over web application.

The exploitation example below uses the "<script>alert(1)</script>" JavaScript function to display "1" word:

Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?id=1

Vulnerable Parameter - "context"

XSS Payload - <script>alert(1)</script>

Note - This Stored XSS Was more critical because there was a CSRF protection vulnerability also , which allow an attacker to trick an administrator To Send Unwated Request for Stored XSS , which will directly attack to the Visitors ,

I was thinking there is a only way to exploit it !!! Yes you are right i am talking about as expected ;) CSRF

but there CSRF  protection was there :( , But no problem i found a way to bypass that , Because where is efforts there is always a hope :)

The csrf tokens is like "HTTP MODE AUTH=somethingvalueblaahblaaahhhhhhhuuhuhuhu" if we removed the csrf tokens from original request then the request still works fine , i verified it by using the csrf tokens with invalid tokens value and in response i got error of csrf token check failed ,

There i noticed an another issue with CSRF tokens which is if you used the CSRF tokens parameter with 50 charactor length any random value then still the request working fine :) , So there were 2 flaws which are affecting the CSRF tokens ,

POC

After This My Re-Action Is Like The Same Like Previous One  ;)

Now i can say CSRF + XSS = Perfect Disaster 

By using 2 Chained Vulnerabilities , an attacker can perform critical attacks Like

1. An attacker can trick an admin for take over his account


2. An attacker is able to trick an admin to perform a Stored XSS Request which will direct attack on Visitors, which can be used for XSS Shell attack , Session hijacking of all users , Ddos attacks Etc.


3. An attacker can trick an admin to send forged request , And make his self guilty,

There was many more attack scenario which can be acured due to these two Issue

Thats why we always say ;) CSRF + XSS = Perfect Disaster 

Technical Details For CSRF Bypass Vulnerability 

The vulnerability exists due to insufficient validation of csrftokens ["HTTP_MODHAUTH"] at server side which allow an attacker to Perform CSRF Attack by bypassing CSRF Protection Mechanism To take over victim account , Trick him to send malicious request Etc.

Attacker need to remove the "HTTP_MODHAUTH" parameter value to perform the successfull attack.

=====================================





Reporting Timeline

Affected Versions - MODX Revolution 2.0.0–2.2.14

Reporting Date - 10 July,2014

Severity - Critical

Acknowledge Date - 11 July,2014

Emergency Fix Release Date - 15 July,2014

Modx Security Advisory Published  - http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior

Affected Releases

All MODX Revolution releases prior to and including 2.2.14.

CVE ID - CVE-2014-8773 ,  CVE-2014-8774 ,  CVE-2014-8775

Solution
Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.

===============================================================



Comments And Suggestions Are Always Welcome :) Thanks