MODx Revolution CMS 2.0.4-pl2 Remote XSS POST Injection Vulnerability

Title: MODx Revolution CMS 2.0.4-pl2 Remote XSS POST Injection Vulnerability
Advisory ID: ZSL-2010-4982
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 06.12.2010
Summary
MODx Revolution is a powerful PHP Content Management Framework that plays nicely with custom code and helps you build sites faster and maintain them with ease. With Revolution you'll leverage the best things to come around since MVC and Active Record.
Description
The MODx Revolution CMS suffers from a XSS vulnerability when parsing user input to the "username" and "email" parameters via POST method in login.php script at the manager login interface. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

--------------------------------------------------------------------------------

/var/html/www/manager/controllers/default/security/login.php:
--------------------------------------------------------------------------------

25: /* handle login */
26: if (!empty($_POST['login'])) {
27: $validated = true;
28:
29: $user = $modx->getObject('modUser',array(
30: 'username' => $_POST['username'],
31: ));

...

71: } else if (!empty($_POST['forgotlogin'])) {
72: $c = $modx->newQuery('modUser');
73: $c->select(array('modUser.*','Profile.email','Profile.fullname'));
74: $c->innerJoin('modUserProfile','Profile');
75: $c->where(array(
76: 'Profile.email' => $_POST['email'],
77: ));

--------------------------------------------------------------------------------

Vendor
MODx, LLC. - http://www.modxcms.com
Affected Version
2.0.4-pl2 (public launch 2)
Tested On
Fedora 10 (Cambridge)
Apache 2.2.14
PHP 5.2.10
MySQL 5.0.88
Vendor Status
[05.12.2010] Vulnerability discovered.
[05.12.2010] Initial contact with the vendor.
[06.12.2010] Vendor responds asking more details.
[06.12.2010] Sent PoC files to the vendor.
[06.12.2010] Vendor releases patch.
[06.12.2010] Coordinated public advisory released.
PoC
modx_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://bugs.modx.com/issues/2918
[2] https://github.com/modxcms/revolution/commit/7b10968f1a62984ef16cfba8ff4362333801c889
[3] http://www.exploit-db.com/exploits/15701/
[4] http://packetstormsecurity.org/files/96425
[5] http://securityreason.com/wlb_show/WLB-2010120030
[6] http://secunia.com/advisories/42483/
[7] http://www.securityfocus.com/bid/45215
[8] http://osvdb.org/show/osvdb/69643
Changelog
[06.12.2010] - Initial release
[07.12.2010] - Added reference [5], [6] and [7]
[08.12.2010] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk