New Community Forums are coming. Watch this space for news.
Subscribe: RSS
  • I’ve kind of inherited a site built with MODx 0.9.2.1 that is getting flagged by Safari’s new malware detector. When checking the source code, I noticed six iframes loading suspicious domains appearing after the /HTML tag.

    So, I checked the relevant template in the manager, and there’s nothing but a blank line there.

    Any ideas how this is occurring and how to stop it?? Any help would be greatly appreciated!
      Rafael
    • Most likely related to the recent security warning regarding a vulnerability in a file that was packaged with reflect. Look at this post for more info: http://modxcms.com/forums/index.php/topic,30850.0.html

      and here for the official notice: http://modxcms.com/forums/index.php/topic,30875.0.html

      I will go ahead and say since someone is bound to do it, you should also upgrade to a more recent release, there have been significant improvements from 0921 to 0962 rolleyes
        [font=Verdana]Shane Sponagle | [wiki] Snippet Call Anatomy | MODx Developer Blog | [nettuts] Working With a Content Management Framework: MODx

        Something is happening here, but you don't know what it is.
        Do you, Mr. Jones? - [bob dylan]
      • Quote from: dev_cw at Dec 12, 2008, 01:01 PM

        Most likely related to the recent security warning regarding a vulnerability in a file that was packaged with reflect.
        Thanks Shane -- unfortunately, it’s least likely, as the site isn’t using Reflect...

        Here’s my list of installed Snippets:

          AListApart - Drop down menu snippet
          cloak - Use this to cloak emails in template variables
          ContactForm - Simple, configurable XHTML-validating contact form for delivery to email accounts.
          DateTime - Outputs the current date and time to the page.
          dropdown - Create a select box of sub pages
          DropMenu - Robust and configurable XHTML-validating menu and site map builder. Output an unordered list.
          FlexSearchForm - Robust site search with like and partial matching.
          gallerydropdown - Select box for photo stories
          GetStats - Fetches the visitor statistics totals from the database
          MemberCheck - Selectively show chunks based on logged in Web User’ group memberships.
          menu - Old Static Menu
          NewsFeed - Enable RSS2 news feed from your website.
          NewsLetter
          NewsListing - Updated: Versatile news/article display system.
          NewsPublisher - Updated: Publish news articles directly from the web.
          PageTrail - Outputs the page trail, based on Bill Wilson’s script
          Personalize - Basic personalization for web users.
          PoweredBy - A little link to MODx
          UserComments - Updated: Add user comments to any document.
          WebChangePwd - Web User Change Password Snippet
          WebLogin - Updated: Web User Login Snippet
          WebSignup - Web User Signup Snippet

        Quote from: dev_cw at Dec 12, 2008, 01:01 PM

        ...you should also upgrade to a more recent release, there have been significant improvements from 0921 to 0962

        I definitely plan to upgrade, but I’m wondering if an upgrade will automagically fix the issue. It seems more prudent to remove any offending code or whatever is causing/allowing the issue before upgrading, but I simply haven’t a clue how this trick is being accomplished. Is it possible that the server (Yahoo hosting) is infected and ’flowing in’ these iframes when parsing the PHP somehow?

        One last thing -- as a tester, do you have any idea if there’s an ETA for 0.9.6.3?
        It would be big time-saver to just upgrade once if it’ll be released soon.


        [Edit: Attached relevant PHP config as an HTML file... you may need to remove the TXT extension to view properly]
          Rafael
        • The first thing you really need to change is this:
          register_globals On On

          Next I would look at your cache files to see if this code was added there. If so, then someone was probably able to hack your account using a cross-site scripting (XSS) attack, for which there have been several patches since 0.9.2.1. None of these attacks would’ve worked if register_globals had been off, however (whether you’d updated or not).

          Given that you’re going to have to do some radical cleaning to be sure that you got rid of any back doors that the hackers may have left, I think that this is probably a very good opportunity to upgrade MODx. I would change all of your passwords, rename the assets and manager folders to xassets and xmanager, upload the new version, and perform an upgrade installation. Then I’d try to restore all your image and other files from a clean local backup and delete the old directories and their contents (and only restore selected files if absolutely necessary from the old installation, since everything in there is suspect now).

          No need to wait for the next version of MODx; the current stable release is solid and light years ahead of what you have now.
            "Things are not what they appear to be; nor are they otherwise." - Buddha

            "Well, gee, Buddha - that wasn't very helpful..." - ZAP

            Useful MODx links: documentation | wiki | forum guidelines | bugs & requests | info you should include with your post | commercial support options
          • Quote from: NameCat.com at Dec 13, 2008, 06:10 AM

            Quote from: dev_cw at Dec 12, 2008, 01:01 PM

            Most likely related to the recent security warning regarding a vulnerability in a file that was packaged with reflect.
            Thanks Shane -- unfortunately, it’s least likely, as the site isn’t using Reflect...

            You wouldn’t need to be using it to be vulnerable, as long as the file is there somewhere. I think it’s reflect.inc.php. Deleting it from your installed snippets list wouldn’t delete the file.

            As Zap suggested, you’re only vulnerable is register_globals is on (and, if it’s on, that could open some other doors to miscreants).
              Did I help you? Buy me a beer
              Get my Book: MODX:The Official Guide
              MODX info for everyone: http://bobsguides.com/modx.html
              My MODX Extras
              Bob's Guides is now hosted at A2 MODX Hosting