The log functionality of the xpdo class contains a Reflected Cross site scripting via the $_SERVER['PHP_SELF'] entrypoint.
In order to exploit this vulnerability an error must occur during the classManager loading. This precondition limit the impact
of the vulnerability.
smashingred created Redmine issue ID 10288
Per [SOJOBO-ADV-13-02]
The log functionality of the xpdo class contains a Reflected Cross site scripting via the $_SERVER['PHP_SELF'] entrypoint. In order to exploit this vulnerability an error must occur during the classManager loading. This precondition limit the impact of the vulnerability.
Follow a trace to reach the vulnerable code.
File: \core\model\schema\build.modx.php 23: $manager= $xpdo->getManager();
File: \core\xpdo\xpdo.class.php 1848: $this->log(xPDO::LOG_LEVEL_ERROR, "Could not load xPDOManager class."); .. 1995: $this->_log($level, $msg, $target, $def, $file, $line); .. 2020: $file= (isset ($_SERVER['PHP_SELF']) || $target == 'ECHO') ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_FILENAME']; .. 2032: $file= " @ {$file}"; .. 2039: echo '
[' . strftime('%Y-%m-%d %H:%M:%S') . '](' . $this->_getLogLevel%28$level%29 . $def . $file . $line .) . '] (' . $this->_getLogLevel($level) . $def . $file . $line . ') ' . $msg . "\n";
The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be manipulated in order to insert valid HTML code.