MODX Revolution version <=2.6.4 contains an Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in creating a file with custom a filename and content. This attack is exploitable via Web request.
- An attacker sends an HTTP POST request to the Gallery components connector.php script with a PHPthumb resize action designed to write PHP to the Gallery’s cache.
- The Gallery cache containing malicious code is written to the cache directory and is accessible with no access control.
The attacker will access a vulnerable plugin version that has MODX installation whereby the webserver has read/write permissions to the specific uploads directory (default).
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.