BID:17532

MODxCMS Index.PHP Cross-Site Scripting Vulnerability

Info

MODxCMS Index.PHP Cross-Site Scripting Vulnerability

Bugtraq ID:	17532
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 14 2006 12:00AM
Updated:	Apr 17 2006 10:06PM
Credit:	Rusydi Hasan M is credited with the discovery of this vulnerability.
Vulnerable:	MODxCMS MODxCMS 0.9.1

Not Vulnerable:

Discussion

MODxCMS Index.PHP Cross-Site Scripting Vulnerability

MODxCMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Exploit / POC

MODxCMS Index.PHP Cross-Site Scripting Vulnerability

This issue can be exploited through a web client.

An example URI has been provided:

http://www.example.com/[modx_dir]/index.php?id=[parameter][XSS_here]

Solution / Fix

MODxCMS Index.PHP Cross-Site Scripting Vulnerability

Solution:

To address this issue, the vendor has released a patch available at the following location:

http://modxcms.com/forums/index.php/topic,3982.0.htmlhttp://modxcms.com/forums/index.php/topic,3982.0.html

References

MODxCMS Index.PHP Cross-Site Scripting Vulnerability

References:

Vendor Homepage (MODx)
Re: Vulnerabilities in MOD (Victor Brilon )
Vulnerabilities in MODx ([email protected])