CVE-2022-26149

Vulnerability

MODX Revolution through version 2.8.3-pl contains a vulnerability where remote authenticated administrators can upload arbitrary executable files. The flaw lies in the ability for an administrator to change the "Uploadable File Types" configuration setting, thus permitting file types (such as .php, .phtml, or .shtml) that can be executed by the web server [1]. By altering this setting, an administrator can bypass the default file type restrictions and upload a malicious executable file.

Exploitation

To exploit CVE-2022-26149, an attacker must first acquire valid administrator credentials for the MODX Revolution instance. Once authenticated, the attacker navigates to the system settings and modifies the "Uploadable File Types" field to include dangerous extensions such as .php. The attacker then uploads a crafted executable file (e.g., a web shell) via the media manager or any file upload interface. No additional privileges or network position beyond administrator access are required [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the web server, interpreted in the context of the MODX application. This can lead to complete compromise of the CMS, including reading, writing, and deletion of files, access to the database, lateral movement within the hosting environment, and potential privilege escalation on the underlying operating system [1][2].

Mitigation

The MODX Revolution project has released version 2.8.4-pl, which addresses this vulnerability by restricting the ability to modify the Uploadable File Types setting to only super administrators or by enforcing additional validation [1][2]. Users are advised to upgrade to 2.8.4-pl or later immediately. As a workaround, administrators can audit their current user roles and ensure that only trusted users have system administration privileges. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.