A site that I manage for a client running on MODX 1.0.0 recently suffered a security break-in - by break-in, I mean someone loaded a file-uploader app (mil.php) and then started to use that to back-door all kinds of other activity - in this case to upload a spammer file and then start using my client’s site to send a ton of spam.
One of the things that caught my eye whilest plugging through the apache logs was a lot of entries looking like this (client identifying information redacted with X’s):
XXXXXXX_2010-07-01:75.146.230.90 - - [01/Jul/2010:08:49:09 -0400] "GET /manager/media/browser/mcpuk/connectors/php/connector.php?Command=Thumbnail&Type=images&CurrentFolder=/&FileName=mil.php&ExtraParams= HTTP/1.1" 200 1097 "
http://XXXXXXXXXX/manager/media/browser/mcpuk/frmresourceslist.html" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; yie8)"
I haven’t had the chance to play with this too much, but it *looks* like they are using mcpuk to browse for a file (in this case, mil.php - our uploader friend) and then call it directly if it exists - and it looks like its getting an HTTP 200 code - which was true as the file did exist (until i whacked it).
So, I’m going to assume someone’s going to tell me to upgrade to 1.0.3 because it fixes a lot of things.
Beyond that, are there any security recommendations about permissions on one’s assets directory or configuring the RTE being used to lock it down sufficiently?
Has anyone else seen anything like this?
- Aaron