CVE-2022-26149
📋 TL;DR
CVE-2022-26149 allows remote authenticated administrators in MODX Revolution to execute arbitrary code by uploading executable files. This occurs because administrators can modify the 'Uploadable File Types' setting to permit dangerous file types. Only systems with administrator accounts are affected.
💻 Affected Systems
- MODX Revolution
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, lateral movement, and persistent backdoor installation.
Likely Case
Unauthorized code execution leading to website defacement, data exfiltration, or cryptomining.
If Mitigated
Limited impact if administrator accounts are properly secured and monitored.
🎯 Exploit Status
Exploit scripts are publicly available; exploitation requires administrator credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.4-pl or later
Vendor Advisory: https://modx.com/security/advisories/modx-revolution-2.8.3-pl-remote-code-execution
Restart Required: No
Instructions:
1. Backup your MODX installation and database. 2. Download MODX Revolution 2.8.4-pl or later from the official website. 3. Replace the core files with the updated version. 4. Clear the cache via the manager interface.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit administrator account access to trusted IP addresses only.
# Configure web server (e.g., Apache .htaccess) to restrict admin panel access by IP
File Upload Restrictions
linuxManually enforce strict file upload restrictions at the web server level.
# Example Apache configuration to block executable uploads
<Location "/assets/">
SetEnvIf Request_URI ".*\.(php|phtml|exe|sh)$" block_upload
Deny from env=block_upload
</Location>
🧯 If You Can't Patch
- Implement strict access controls for administrator accounts and monitor for suspicious activity.
- Deploy a web application firewall (WAF) with rules to block malicious file uploads.
🔍 How to Verify
Check if Vulnerable:
Check MODX version in manager dashboard or via /core/docs/version.inc.php; versions ≤2.8.3-pl are vulnerable.Check Version:
grep 'version' /path/to/modx/core/docs/version.inc.phpVerify Fix Applied:
Confirm version is 2.8.4-pl or later and test that administrator cannot modify uploadable file types to include executables.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads (e.g., .php, .exe) in MODX assets directory
- Administrator login from unexpected IP addresses
- Changes to 'Uploadable File Types' setting in system logs
Network Indicators:
- HTTP POST requests to upload endpoints with executable file extensions
- Outbound connections from MODX server to unknown IPs post-upload
SIEM Query:
source="modx_logs" AND (file_extension="php" OR file_extension="exe") AND action="upload"🔗 References
- http://packetstormsecurity.com/files/171488/MODX-Revolution-2.8.3-pl-Remote-Code-Execution.html
- https://github.com/sartlabs/0days/blob/main/Modx/Exploit.txt
- http://packetstormsecurity.com/files/171488/MODX-Revolution-2.8.3-pl-Remote-Code-Execution.html
- https://github.com/sartlabs/0days/blob/main/Modx/Exploit.txt
