cbcvebase.
CVE-2018-1000207
published 2018-07-13

CVE-2018-1000207: MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can…

PriorityP278high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
64.09%
99.1th percentile
MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68.

Affected

2 ranges
VendorProductVersion rangeFixed in
modxmodx_revolution<= 2.6.4
modxrevolution>= 0 < 2.7.02.7.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://www.exploit-db.com/exploits/45055
snort
alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Modx Revolution RCE (CVE-2018-1000207)"; flow:established,to_server; http.uri; content:".php"; http.request_body; content:"useRawIMoutput"; content:"IMresizedData"; content:"config_prefer_imagemagick"; fast_pattern; reference:cve,2018-1000207; reference:url,www.exploit-db.com/exploits/45055; classtype:attempted-admin; sid:2025930; rev:3; metadata:attack_target Web_Server, created_at 2018_08_01, cve CVE_2018_100020, deployment Datacenter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_04;)
  • Detect HTTP POST requests to any .php endpoint containing the phpthumb-specific body parameters 'useRawIMoutput', 'IMresizedData', and 'config_prefer_imagemagick' — all three together indicate exploitation of the MODX Revolution phpthumb RCE.
  • The vulnerability involves insufficient filtering of user parameters passed into the phpthumb class, allowing creation of a file with a custom filename and content via a web request — monitor for unexpected file creation (especially .php files) in web-accessible directories on MODX Revolution <=2.6.4 instances.
  • ·The fix is tied to a specific commit; verify the patch is applied. Instances running MODX Revolution <=2.6.4 without commit 06bc94257408f6a575de20ddb955aca505ef6e68 remain vulnerable.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.