We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered 2.6.5-pl Site compromised via AdvSearch SQL injection

    • 46235
    • 15 Posts
    joshratcliffe Reply #1, 5 years, 8 months ago
    Hello,

    After rolling back a hacked website, upgrading to 2.6.5-pl, following the ModX hardening documentation the site I'm working on has been compromised.

    After checking through the access log for the server I've found a few SQL injections via the "/?search" parameter which led to a large payload attack a few minutes later.

    The only extension I have on the site related to the search is the AdvSearch module, I've not heard of any vulnerabilities with this module and it has been updated to the latest version.

    I'm going to roll the site back as the site as hacked 07/08 after a few days of brute force attacks.

    So my question is - Does anyone know of any vulnerabilities with the AdvSearch module or of a new SQL injection via a search in newer version of ModX?

    Thanks

    This question has been answered by joshratcliffe. See the first response.

    • Mark Hamstra Reply #2, 5 years, 8 months ago
      Quote from: joshratcliffe at Aug 08, 2018, 02:12 PM
      So my question is - Does anyone know of any vulnerabilities with the AdvSearch module or of a new SQL injection via a search in newer version of ModX?

      Not at this time. If you have evidence to the contrary please get in touch with the developer of the AdvSearch module and/or the MODX security team via [email protected].
        Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

        Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.
        • 46235
        • 15 Posts
        joshratcliffe Reply #3, 5 years, 8 months ago
        Not at this time. If you have evidence to the contrary please get in touch with the developer of the AdvSearch module and/or the MODX security team via [email protected].

        Hi Mark thanks for the reply.

        I will get in touch with both and see what I find out and post back here. It might be a vulnerability on my server but whatever the cause/fix I'll update here.

        Thanks
          • 53161
          • 130 Posts
          Stefany Reply #4, 5 years, 8 months ago
          Keep us updated.
            Hire me as a MODx / UX Developer
            Read my Front-end / UX blog

          • discuss.answer
            • 46235
            • 15 Posts
            joshratcliffe Reply #5, 5 years, 8 months ago
            So after doing some investigation of the files it turns out I just did a poor job of removing the hacked files from the site when I took a backup.

            So I'm now searching through and removing files that had gotten onto my new server via the /assets/ folder.

            For anyone who is also suffering from the hack try looking for .php files in your assets folder and .ico files in index.php files all over the site.

            I will mention that even when compromised with hardening only publicly accessible sections of the site have been compromised, so I would highly recommend hardening your Modx sites after upgrading to to 2.6.5-pl.