In Modx Revolution were found two critical vulnerabilities, affecting versions up to 2.6.4. In this article I will analyze only CVE-2018-1000207 vulnerability. It has 9.8 CVSS score AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. But, if you have version 2.5.1 or higher, then CVSS score lowers to 8.8, and it would be more difficult to hack you, because for vulnerability exploitation requires authorization in admin panel (Privileges Required).

The vulnerability is based on that Modx sending user parameters in phpthumb class without a filter. As the attack vector can be used script /connectors/system/phpthumb.php, or any other script, that is sending parameters in modphpthumb.class.php class. For example, if you have installed Gallery plugin (one of the most popular photogallery plugin), then the attack vector will be /assets/components/gallery/connector.php script.

If your CMS version is higher than 2.5.1, and you’ve not installed any plugin, that works with phpthumb, then exploitation of the vulnerability will require authorization in the admin panel. By the way, it’s enough to login as any user, with any access rights.

The phpthumb class has two types of parameters: public and private. Public parameters are used for preview generation, they are height, width, quality, crop, watermark, etc.

// public:
// START PARAMETERS (for object mode and phpThumb.php)
// See phpthumb.readme.txt for descriptions of what each of these values are
public $src  = null;     // SouRCe filename
public $new  = null;     // NEW image (phpThumb.php only)
public $w    = null;     // Width
public $h    = null;     // Height
...

Private parameters are hardcoded and defined in the config file. They are: debug mode, set cache directory, etc. File modxphpthumb.class.php , which is used for sending requests to phpthumb.class.php , can’t see a difference between public and private parameters and send everything.

The problem is:

/* iterate through properties */
foreach ($this->config as $property => $value) {
    $this->setParameter($property,$value);
}
return true;

All user requests are going through $this->config , and then they get in phpthumb via function setParameter(). The possibility to use all of phpthumb parameters let you to upload any php files. The payload request would look like that:

url = target + '/connectors/system/phpthumb.php'
payload = {
    'ctx': 'web',
    'cache_filename': '../../payload.php',
...