Modx Revolution < 2.6.4 – Remote Code Execution

Details of BNVL-2018-0039

What does the BNVL label mean?

BitNinja Server Security’s BNVL identifiers are intended for use to identify publicly known information security vulnerabilities in publicly released software packages. This project was designed to collect and analyze attack information from the BitNinja network after cluster analysis by the AI-powered Attack Vector Miner. More than 100 vulnerability types have been discovered with this project so far, so we decided to publish this platform to help to keep Linux server owners up-to-date.

Important! All listed BNVL vulnerabilities are protected by BitNinja PRO, so please check your configurations if your infrastructure is affected by any of them.

Syntax for BNVL labels:

BNVL prefix + Year + Arbitrary Digits


Name :
Modx Revolution < 2.6.4 – Remote Code Execution
Related Links: https://www.exploit-db.com/exploits/45055/ 
                         https://malware.expert/vulnerability/modx-revolution-2-6-4-remote-code-execution/ 

CVE ID: Na

Description: 

Last week published two critical vulnerabilities affecting MODX Revolution <=2.6.4 which include remote script execution and file/directory removal. Hackers thereby able to compromise the website or spoil or delete files or directories.

In the MODX Revolution Version <= 2.6.4, filtering users have an incorrect access control capability in the parameters, which becomes the phpthumb class that causes the file to be created by using a custom file name and content. This attack seems to be usable by web request.

The vulnerability was reported on 11th July and the Modx development team has released the solution within 18 hours. Those who are under MODX Revolution 2.6.4 ad below should try to upgrade your version ASAP. (Keep a backup of your website before upgrading, so that if something goes wrong we can simply restore it)

Pattern: /assets/components/gallery/connector.php 
             phpthumb