Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28822
HistoryDec 10, 2012 - 12:00 a.m.

CSRF, AoF, DoS and IAA vulnerabilities in MODx

2012-12-1000:00:00
vulners.com
19
JSON

Hello 3APA3A!

I want to warn you about new security vulnerabilities in MODx. This is the second part of the vulnerabilities in this CMS (6 vulnerabilities to previous 19 vulnerabilities).

These are Cross-Site Request Forgery, Abuse of Functionality, Denial of Service and Insufficient Anti-automation vulnerabilities in MODx. It's about 0.x and 1.x (Evolution) versions of MODx CMS. In 2.x (Revolution) versions of MODx there are part of these holes and part of new holes - I've wrote separate advisory concerning it.

Affected products:

Vulnerable are MODx 1.0.6 and previous versions.

Details:

Cross-Site Request Forgery (WASC-09):

Lack of captcha in login form (http://site/manager/) can be used for different attacks - for CSRF-attack to login into account (remote login - to conduct attacks on vulnerabilities inside of account), for automated entering into account, for phishing and other automated attacks. Which you can read about in the article "Attacks on unprotected login forms" (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html). Bellow mentioned DoS attack is conducting via this CSRF vulnerability.

Abuse of Functionality (Login Enumeration) (WASC-42):

In login form (http://site/manager/) Login Enumeration is possible. If blocking isn't triggering after three requests (as can be set at the site), then there is no such login in the system, i.e. the blocking works only for working logins. The attack is possible, when blocking is turned on.

So by sending three (by default) POST requests per verifiable login, it'll possible to pick up working logins. To use for attacks on earlier mentioned Brute Force vulnerability.

Exploit:

<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/manager/processors/login.processor.php&quot; method="post">
<input type="hidden" name="ajax" value="1">
<input type="hidden" name="username" value="test">
<input type="hidden" name="password" value="test">
</form>
</body>

Abuse of Functionality (WASC-42):

After finding of login with above-mentioned vulnerability it's possible to abuse blocking of accounts. After three unsuccessful attempts (as can be set at the site) the account is blocking (including account of the administrator). By persistent sending of requests to this functionality (by three incorrect requests), it's possible to persistently put the account in blocked state (including account of the administrator).

Exploit:

<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/manager/processors/login.processor.php&quot; method="post">
<input type="hidden" name="ajax" value="1">
<input type="hidden" name="username" value="admin">
</form>
</body>

Denial of Service (WASC-10):

At sending of POST request to script http://site/manager/processors/login.processor.php, he returns to previous page, which again sends to this script. By this way it creates Looped DoS, which can overload the server.

About Looped DoS vulnerabilities I've wrote in 2008's articles Looped DoS and Classification of DoS vulnerabilities in web applications (http://websecurity.com.ua/2663/&#41; and in 2009's article Redirectors: the phantom menace (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2009-September/005722.html&#41;. According to my articles, for conducting of such DoS attack it's needed to give users a link to such looped redirect, which will be infinitely sending requests and overloading a server (in case of MODx it's possible to create unidirectional and bidirectional Looped DoS). In case of POST request it can be html form placed on popular site, e.g. in hidden iframe to conduct attack invisibly and as long as the page with iframe will be opened by users.

Exploit:

<body onLoad="document.hack.submit()">
<form name="hack" action="http://site/manager/processors/login.processor.php&quot; method="post">
</form>
</body>

Insufficient Anti-automation (WASC-21):

In login form (http://site/manager/&#41; there is no protection against automated request, which allows to picking up logins (via Abuse of Functionality vulnerability) in automated way. As to pick up passwords (via Brute Force vulnerability) for picked up logins in automated way. And also to conduct automated blocking of revealed accounts.

In password recovery form (http://site/manager/index.php?action=show_form&#41; there is no protection against automated request, which allows to picking up e-mails of users in automated way.

Timeline:

2012.06.28 - announced at my site.
2012.06.28 - informed developers about the first part of vulnerabilities.
2012.06.30 - informed developers about the second part of vulnerabilities.
2012.07.28 - informed developers about vulnerabilities in MODx Revolution and reminded about previous two letters.
2012.07.28-2012.10.31 - during conversation with developers about MODx Revolution, I was constantly reminding them, that I've sent them info about holes in Evolution and I can resent them, because it was clear that they missed it (they only were answering concerning Revolution).
2012.11.02 - after developers said they want to see this information (missed by them in June), I've resent the first two letters to the developers.
2012.11.24 - disclosed at my site (http://websecurity.com.ua/5929/&#41;.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

JSON