CVE-2018-1000207
published 2018-07-13CVE-2018-1000207: MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can…
PriorityP278high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
64.09%
99.1th percentile
MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| modx | modx_revolution | <= 2.6.4 | — |
| modx | revolution | >= 0 < 2.7.0 | 2.7.0 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Modx Revolution RCE (CVE-2018-1000207)"; flow:established,to_server; http.uri; content:".php"; http.request_body; content:"useRawIMoutput"; content:"IMresizedData"; content:"config_prefer_imagemagick"; fast_pattern; reference:cve,2018-1000207; reference:url,www.exploit-db.com/exploits/45055; classtype:attempted-admin; sid:2025930; rev:3; metadata:attack_target Web_Server, created_at 2018_08_01, cve CVE_2018_100020, deployment Datacenter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_04;)
- →Detect HTTP POST requests to any .php endpoint containing the phpthumb-specific body parameters 'useRawIMoutput', 'IMresizedData', and 'config_prefer_imagemagick' — all three together indicate exploitation of the MODX Revolution phpthumb RCE. ↗
- →The vulnerability involves insufficient filtering of user parameters passed into the phpthumb class, allowing creation of a file with a custom filename and content via a web request — monitor for unexpected file creation (especially .php files) in web-accessible directories on MODX Revolution <=2.6.4 instances. ↗
- ·The fix is tied to a specific commit; verify the patch is applied. Instances running MODX Revolution <=2.6.4 without commit 06bc94257408f6a575de20ddb955aca505ef6e68 remain vulnerable. ↗
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
MODX Revolution Incorrect Access Control vulnerability
osv·2022-05-13
CVE-2018-1000207 [HIGH] MODX Revolution Incorrect Access Control vulnerability
MODX Revolution Incorrect Access Control vulnerability
MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68.
GHSA
MODX Revolution Incorrect Access Control vulnerability
ghsa·2022-05-13
CVE-2018-1000207 [HIGH] CWE-732 MODX Revolution Incorrect Access Control vulnerability
MODX Revolution Incorrect Access Control vulnerability
MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68.
VulnCheck
modx modx_revolution Incorrect Permission Assignment for Critical Resource
vulncheck·2018·CVSS 7.2
CVE-2018-1000207 [HIGH] modx modx_revolution Incorrect Permission Assignment for Critical Resource
modx modx_revolution Incorrect Permission Assignment for Critical Resource
MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68.
Affected: modx modx_revolution
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.imperva.com/blog/archive/the-worlds-most-popular-coding-language-happens-to-be-most-hackers-weapon-of-choice/
Suricata
ET WEB_SPECIFIC_APPS Modx Revolution RCE (CVE-2018-1000207)
suricata·2018-08-01·CVSS 7.2
CVE-2018-1000207 [HIGH] ET WEB_SPECIFIC_APPS Modx Revolution RCE (CVE-2018-1000207)
ET WEB_SPECIFIC_APPS Modx Revolution RCE (CVE-2018-1000207)
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Modx Revolution RCE (CVE-2018-1000207)"; flow:established,to_server; http.uri; content:".php"; http.request_body; content:"useRawIMoutput"; content:"IMresizedData"; content:"config_prefer_imagemagick"; fast_pattern; reference:cve,2018-1000207; reference:url,www.exploit-db.com/exploits/45055; classtype:attempted-admin; sid:2025930; rev:3; metadata:attack_target Web_Server, created_at 2018_08_01, cve CVE_2018_100020, deployment Datacenter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_04;)
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/a2u/CVE-2018-1000207https://github.com/modxcms/revolution/commit/06bc94257408f6a575de20ddb955aca505ef6e68https://github.com/modxcms/revolution/pull/13979https://rudnkh.me/posts/critical-vulnerability-in-modx-revolution-2-6-4https://github.com/a2u/CVE-2018-1000207https://github.com/modxcms/revolution/commit/06bc94257408f6a575de20ddb955aca505ef6e68https://github.com/modxcms/revolution/pull/13979https://rudnkh.me/posts/critical-vulnerability-in-modx-revolution-2-6-4
2018-07-13
Published
Exploited in the wild