CVE-2014-8773 : Détail

CVE-2014-8773

Cross-Site Request Forgery - CSRF
A01-Broken Access Control
0.36%V4
Network
2014-12-03
17h00 +00:00
2014-12-03
16h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

MODX Revolution 2.x before 2.2.15 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism by (1) omitting the CSRF token or via a (2) long string in the CSRF token parameter.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 35159

Date de publication : 2014-11-04 23h00 +00:00
Auteur : Narendra Bhati
EDB Vérifié : No

Advisory ID: 92152 Product: MODX Revolution Vendor: MODX Vulnerable Version(s): 2.0.0–2.2.14 Tested Version: 2.2.14 Advisory Publication: 16 July, 2014 [without technical details] Vendor Notification: 16 July, 2014 Vendor Patch: 15 July, 2014 Public Disclosure: 2 November , 2014 Vulnerability Type: CSRF Tokens Bypass + Reflected Cross Site Scripting + Stored XSS CVE Reference: Requested Risk Level: Critical Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) Patch - Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions Reported By - Narendra Bhati ( R00t Sh3ll) Security Analyst @ Suma Soft Pvt. Ltd. , Pune ( India )IT Risk & Security Management Services , Pune ( India) Facebook - https://facebook.com/narendradewsoft twitter - https://www.twitter.com/NarendraBhatiNB Blog - http://hacktivity.websecgeeks.com Email - bhati.contact@gmail.com ----------------------------------------------------------------------------------------------- Advisory Details: Narendra Bhati discovered vulnerability in MODX Revolution, which can be exploited to perform Cross-Site Scripting (XSS) attacks & Along With Bypassing CSRF Tokens Protection ,Its allow an attacker to perform A CSRF Attack alosing With XSS to take over victim account by changin promary email address , Sending forged request Etc , Tricking an admin to attack on their own users by sending specially crafter malicous payload as CSRF Attack 1) Cross Site Request Forgery Protection (CSRF) Tokens Bypassing in Modx Revolution The vulnerability exists due to insufficient validation of csrftokens ["HTTP_MODHAUTH] at server side which allow an attacker to Perform CSRF Attack by bypassing CSRF Protection Mechanism To take over victim account , Trick him to send malicious request Etc. ------------------------------------------------------------------------------------ 2) Reflected Cross-Site Scripting (XSS) in MODX Revolution The vulnerability exists due to insufficient sanitization of input data passed via the "context_key" HTTP GET parameter to "http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key=" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. This vulnerability can be used against website administrator to perform phishing attacks, steal potentially sensitive data and gain complete control over web application. The exploitation example below uses the ""></script><img src=x onerror=prompt(/XSS/)>" JavaScript function to display "/XSS/" word: Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?a=55&class_key=modStaticResource&context_key="></script><img src=x onerror=prompt(/XSS/)> Vulnerable Parameter - "context_key" XSS Payload - "></script><img src=x onerror=prompt(/XSS/)> "></script><img src=x onerror=prompt(document.cookie)> ----------------------------------------------------------------------------------------------- 3) Stored Cross-Site Scripting (XSS) in MODX Revolution The vulnerability exists due to insufficient sanitization of input data passed via the "context" HTTP POST parameter to " http://127.0.0.1/day/modx/manager/index.php?id=1" URL. A local attacker [Authenticated User] can execute arbitrary HTML and script code in browser in context of the vulnerable website. This vulnerability can be used against website visitors to perform phishing attacks, steal potentially sensitive data and gain complete control over web application. The exploitation example below uses the "<script>alert(1)</script>" JavaScript function to display "1" word: Vulnerable URL - http://127.0.0.1/day/modx/manager/index.php?id=1 Vulnerable Parameter - "context" XSS Payload - <script>alert(1)</script> Note - This Stored XSS Was more critical because there was a CSRF protection vulnerability also , which allow an attacker to trick an administrator To Send Unwated Request for Stored XSS , which will directly attack to the Visitors , ----------------------------------------------------------------------------------------------- Solution: Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions More Information: Public Advisory By Vendor :- http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior Public Disclosure With Tecnical Details - http://hacktivity.websecgeeks.com/modx-csrf-and-xss/ -----------------------------------------------------------------------------------------------

Products Mentioned

Configuraton 0

Modx>>Modx_revolution >> Version 2.0.0

Modx>>Modx_revolution >> Version 2.0.1

Modx>>Modx_revolution >> Version 2.0.3

Modx>>Modx_revolution >> Version 2.0.4

Modx>>Modx_revolution >> Version 2.0.5

Modx>>Modx_revolution >> Version 2.0.6

Modx>>Modx_revolution >> Version 2.0.7

Modx>>Modx_revolution >> Version 2.0.8

Modx>>Modx_revolution >> Version 2.1.0

Modx>>Modx_revolution >> Version 2.1.1

Modx>>Modx_revolution >> Version 2.1.2

Modx>>Modx_revolution >> Version 2.1.3

Modx>>Modx_revolution >> Version 2.1.4

Modx>>Modx_revolution >> Version 2.1.5

Modx>>Modx_revolution >> Version 2.2.0

Modx>>Modx_revolution >> Version 2.2.1

Modx>>Modx_revolution >> Version 2.2.2

Modx>>Modx_revolution >> Version 2.2.3

Modx>>Modx_revolution >> Version 2.2.4

Modx>>Modx_revolution >> Version 2.2.5

Modx>>Modx_revolution >> Version 2.2.6

Modx>>Modx_revolution >> Version 2.2.7

Modx>>Modx_revolution >> Version 2.2.8

Modx>>Modx_revolution >> Version 2.2.9

Modx>>Modx_revolution >> Version 2.2.10

Modx>>Modx_revolution >> Version 2.2.11

Modx>>Modx_revolution >> Version 2.2.12

Modx>>Modx_revolution >> Version 2.2.13

Modx>>Modx_revolution >> Version 2.2.14

Références