[SOJOBO-ADV-13-02] - MODx 2.2.10 Reflected Cross Site Scripting

I. * Information *
==================
Name : MODx 2.2.10 Reflected Cross Site Scripting
Software : MODx 2.2.10 and possibly below.
Vendor Homepage : http://modx.com/
Vulnerability Type : Reflected Cross-Site Scripting
Severity : Low (2/5)
Advisory Reference : SOJOBO-ADV-13-02 (http://www.enkomio.com/Advisories)
Credits: Sojobo dev team
Description: A Reflected Cross Site Scripting vulnerability was discovered during the testing of Sojobo, Static Analysis Tool.

II. * Details *
===============
A) Reflected Cross Site Scripting in findcore.php [Impact: 2/5]

In order to exploit this vulnerability the setup folder mustn't be deleted by the administrator during the installation process.
This precondition limit the impact of the vulnerability.

Follow a trace to reach the vulnerable code.

File: \setup\templates\findcore.php
80: <form id="corefinder" action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post">

The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be manipulated in order to insert valid HTML code.

A test request is: /setup/templates/findcore.php/"><script>alert('XSS');</script>

B) Reflected Cross Site Scripting in xpdo.class.php [Impact: 1/5]

The log functionality of the xpdo class contains a Reflected Cross site scripting via the $_SERVER['PHP_SELF'] entrypoint. 
In order to exploit this vulnerability an error must occur during the classManager loading. This precondition limit the impact 
of the vulnerability.

Follow a trace to reach the vulnerable code.

File: \core\model\schema\build.modx.php
23: $manager= $xpdo->getManager();

File: \core\xpdo\xpdo.class.php
1848: $this->log(xPDO::LOG_LEVEL_ERROR, "Could not load xPDOManager class.");
..
1995: $this->_log($level, $msg, $target, $def, $file, $line);
..
2020: $file= (isset ($_SERVER['PHP_SELF']) || $target == 'ECHO') ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME'];
..
2032: $file= " @ {$file}";
..
2039: echo '<h5>[' . strftime('%Y-%m-%d %H:%M:%S') . '] (' . $this->_getLogLevel($level) . $def . $file . $line . ')</h5><pre>' . $msg . '</pre>' . "\n";
..
2042: echo '[' . strftime('%Y-%m-%d %H:%M:%S') . '] (' . $this->_getLogLevel($level) . $def . $file . $line . ') ' . $msg . "\n";

The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be manipulated in order to insert valid HTML code.

III. * Report Timeline *
========================

12 October 2013 - First contact (no timeline given)
14 October 2013 - Second contact (no timeline given)
21 October 2013 - Third contact (no response)
22 October 2013 - Advisory released

IV. * About Sojobo *
====================
Sojobo allows you to find security vulnerabilities in your PHP web application source code before others do.
By using the state of the art tecniques Sojobo is able to identify the most critical vulnerabilities in your code 
and limit the number of false positives.