PHP code injection in MODX Evolution

Published: 2016-11-16 08:44:56 | Updated: 2016-11-30 12:56:00
Severity High
Patch available YES
Number of vulnerabilities 1
CVSSv2 8.7 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C)
CVSSv3 9.4 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE ID N/A
CWE ID CWE-94
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software MODX Evolution
Vulnerable software versions MODX Evolution 1.1.0
MODX Evolution 1.0.13
MODX Evolution 1.0.15
MODX Evolution 1.0.14
MODX Evolution 1.0.12
Vendor URL MODX
Advisory type Public

Security Advisory

This vulnerability was updated to reflect in the wild exploitation of the vulnerability.

1) PHP code injection

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands.

The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "ucfg" HTTP POST parameter to "/assets/snippets/ajaxSearch/classes/ajaxSearchConfig.class.inc.php" script. A remote attacker can send a specially crafted HTTP POST request and execute arbitrary SQL commands in database.

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary PHP code on the target system, however requires valid user account.

Note: as of November 30, 2016 this vulnerability is being actively exploited in the wild.

Remediation

Apply a security fix:
http://extras.evolution-cms.com/packages/core/security-fix.html

External links

https://forums.modx.com/thread/101240/evo-security-patch-1-0-12-and-above#dis-post-546368

Back to List