We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

CVE-2007-5371 not a vulnerability, or how I learned to stop worrying & love FUD

  • opengeek Reply #1, 16 years, 6 months ago
    FYI:

    A number of MODx users have contacted me in regards to the posting of a MODx vulnerability from bugtraq, that is now showing up in two prominent vulnerability databases as CVE-2007-5371 and BID 25983:

    http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5371
    http://www.securityfocus.com/bid/25983

    We were never contacted by the poster, and after extensive analysis on our side, this vulnerability has been found to be 100% inaccurate; in fact, I believe it to be deliberate FUD. No attack vectors have been posted; securityfocus.com actually describes the exploit as "Attackers can use a browser to exploit these issues", with no additional information. The original post describing the supposed exploit is just as informative:

    http://www.securityfocus.com/archive/1/481870/30/0/threaded

    I have posted replies to that thread (all of which have been moderated out) and contacted both securityfocus.com and mitre.org contesting the publishing of this wholly inaccurate report. All attempts (by me) to contact these groups, whom have been very responsive in the past, have been ignored as far as I can tell. However, another MODx team member’s response was published on the bugtraq thread (see the response at http://www.securityfocus.com/archive/1/482096/30/0/threaded), and they did indicate that after further review, the exploit required administrative privileges, and that they would be retiring the BID as a result. But this is still inaccurate, as even when logged in, I can find absolutely no way to inject SQL via the specified variables. Considering that all MODx requests are scrubbed to minimize the potential for these attacks, and the file in question is not accessible directly, I firmly maintain that this is a totally bogus report posted by someone with ulterior motives (or an unfortunate lack of internet security knowledge).

    Unfortunately, 0-day security sites are going to report false vulnerabilities; that’s the nature of the beast. And all I can do for now is keep you informed and up-to-date on the reported issue, hopefully dispelling the FUD this report has generated in the process.
      Jason Coward
      Chief Architect @ MODX
      http://www.jasoncoward.com | http://twitter.com/drumshaman | https://github.com/opengeek

    This discussion is closed to further replies. Keep calm and carry on.