Research: PHP Object Injection in MODX Login Extra

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in the MODX Login Extra project.

The MODX team responded immediately to my report and a fix was released within hours - very impressive!

They published details here:

https://community.modx.com/t/modx-login-extra-php-object-injection-vulne...

This was assessed as:

• Severity: Critical
• CVSS v4.0 Score: 9.4
• CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

The exploit requires authentication but no elevated privileges, so sites that allow registration without moderation are likely to be particularly vulnerable.

There was at least one Gadget Chain available in MODX when I did this research; I submitted a PR to fix this which was merged quickly, but at the time of writing the affected library has not made a new release that includes the fix.

• https://github.com/ambionics/phpggc/pull/201
• https://github.com/JamesHeinrich/phpThumb/pull/226

MITRE has assigned CVE-2024-55039 but at the time of writing the details are not yet published.