You are here

February 2025

Research: PHP Object Injection in MODX Login Extra

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the MODX Login Extra project.

The MODX team responded immediately to my report and a fix was released within hours - very impressive!

They published details here:

https://community.modx.com/t/modx-login-extra-php-object-injection-vulne...

This was assessed as:

  • Severity: Critical
  • CVSS v4.0 Score: 9.4
  • CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

The exploit requires authentication but no elevated privileges, so sites that allow registration without moderation are likely to be particularly vulnerable.

There was at least one Gadget Chain available in MODX when I did this research; I submitted a PR to fix this which was merged quickly, but at the time of writing the affected library has not made a new release that includes the fix.

MITRE has assigned CVE-2024-55039 but at the time of writing the details are not yet published.

Research: PHP Object Injection in XOOPS Modules

As part of my research into Gadget Chains and PHP Object Injection, I discovered exploitable vulnerabilities in three different XOOPS modules.

The XOOPS team responded quickly to my report, and fixes were released not long after. They were very good to work with.

They published details here:

https://xoops.org/modules/newbb/viewtopic.php?topic_id=79555

The specific fixes were:

MITRE have assigned CVE-2024-56925 for xmarticle, and CVE-2024-56928 for xmsocial.

They suggested that xmnews share one of the above CVEs, but I've requested a separate identifier as it's a distinct module / repo / vulnerability.

It took quite a long time to get the initial reply from MITRE and it may be a while before I hear back.

XOOPS includes the Smarty template engine which brings with it at least one viable Gadget Chain:

https://github.com/ambionics/phpggc/tree/master/gadgetchains/Smarty

The Smarty/FD1 gadget chain can be used as a Proof of Concept for these XOOPS vulnerabilities.

Research: Joomla File Write Gadget Chain

As part of my research into Gadget Chains and PHP Object Injection, I discovered a File Write Gadget Chain in Joomla.

I submitted a PR for this to the excellent PHPGGC project - it will hopefully be Joomla/FW1:

https://github.com/ambionics/phpggc/pull/202 (not yet merged)

I reported this to the Joomla Security Team (before submitting the PR), and they responded quickly.

Unlike some projects I've reported Gadget Chains to, they were grateful for the report and put a fix in place fast:

https://github.com/joomla/joomla-cms/pull/44428

The fix was included in Joomla 5.2.2 which was released about 4 weeks after I'd sent the report.

It was a pleasure working with the Joomla Team :)

Research: PHP Object Injection in openmass

As part of my research into Gadget Chains and PHP Object Injection, I discovered an unsafe deserialisation vulnerability in the openmass project.

The maintainers responded quickly to the report, and put a fix in place the same day:

https://github.com/massgov/openmass/commit/1966c48ecee26e1c10479af00aa0f...

The vulnerability was never exposed on the public facing website.

Research: PHP Object Injection in The Marketer OpenCart module

As part of my research into Gadget Chains and PHP Object Injection, I discovered an unsafe deserialisation vulnerability in The Marketer OpenCart module.

There are Gadget Chains available in Opencart - including a few that I found and submitted to the PHPGGC project:

https://github.com/ambionics/phpggc/pull/199 (not yet merged).

The vulnerability in The Marketer module, combined with these Gadget Chains, allows remote unauthenticated RCE so it got a very high CVSS score.

Full details: https://gist.github.com/mcdruid/4434f7cd5e105e20e12b60fd6614ca12

MITRE have assigned CVE-2024-56927