We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 20413
    • 2,877 Posts
    » http://www.clippercms.com/forum/viewtopic.php?pid=1647

    My inbox:



    1. ClipperCMS 1.3.0: Code Execution http://blog.curesec.com/article/blog/dotclear-281-Code-Execution-93.html - This issue has not been fixed by the vendor.
    2. ClipperCMS 1.3.0: Code Execution Exploit http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.html
    3. ClipperCMS 1.3.0: CSRF http://blog.curesec.com/article/blog/ClipperCMS-130-CSRF-97.html - This issue has not been fixed by the vendor.
    4. ClipperCMS 1.3.0: Path Traversal http://blog.curesec.com/article/blog/ClipperCMS-130-Path-Traversal-98.html - This issue has not been fixed by the vendor
    5. ClipperCMS 1.3.0: SQL Injection http://blog.curesec.com/article/blog/ClipperCMS-130-SQL-Injection-99.html - This issue has not been fixed by the vendor.
    6. ClipperCMS 1.3.0: XSS http://blog.curesec.com/article/blog/ClipperCMS-130-XSS-101.html - This issue has not been fixed by the vendor.


    This probably affects EVO as well!? [ed. note: mrhaw last edited this post 8 years, 4 months ago.]
      @hawproductions | http://mrhaw.com/

      Infograph: MODX Advanced Install in 7 steps:
      http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

      Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
      http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
      • 20413
      • 2,877 Posts
      modxuser took it to github: https://github.com/modxcms/evolution/issues/449#issuecomment-156865359


      I posted this so it would get attention. I'm 99% migrated to Revolution and I have zero websites running ClipperCMS.
        @hawproductions | http://mrhaw.com/

        Infograph: MODX Advanced Install in 7 steps:
        http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

        Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
        http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
        • 30023
        • 172 Posts
        As per my comment on the github thread, and KP's comments here http://www.clippercms.com/forum/viewtopic.php?id=331, if a user - malicious or otherwise - has an account, then they can quite obviously wreak havoc with or without these "vulnerabilities". They can write to the site, delete users, and in fact can do anything any other similar user can do. They don't need the presence or otherwise of this "issue" to do anything they want that such a manager user can do.

        I've only just had my attention brought to this thread, but it really isn't appreciated that misleading claims are being made about code in ClipperCMS. At the very least tell those of us involved of threads such as these so we get an effective right to reply.

        As per my comments on the Clipper forum at http://www.clippercms.com/forum/viewtopic.php?pid=1653#p1653, this is not the first time this has happened with both Clipper and MODx. There are people out there with little practical knowledge of either system who see an issue (which may be - to be fair - poor coding) and automatically see a vulnerability (which in context, it may not be).

        It gets tiring and unfairly time consuming to have to reply to these sort of claims. There's even one "vulnerability" in the above list which amounts to saying that if a manager user switches off a security feature then the backend becomes insecure. Is that really surprising? Are the people promoting these issues genuine but ill-informed, or just maliciously trying to waste developer's time?

        FUD https://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt

        Rant over.

        -- Tim.


          • 20413
          • 2,877 Posts
          I think it sucks that my post got censored on an open source forum. I contacted Curesec at the time to get a dialogue started.
          I am not part of ClipperCMS and won't bother you ever again.

          Edit: When the info got out and reached my and many thousand other's inbox it's considered a public disclosure. It seems as Curesec was rejected a dialogue by ClipperCMS and blame user / messenger mentality. [ed. note: mrhaw last edited this post 7 years, 4 months ago.]
            @hawproductions | http://mrhaw.com/

            Infograph: MODX Advanced Install in 7 steps:
            http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

            Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
            http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
          • If at some point in time an authentication bypass, or unauthenticated SQL injection vulnerability is discovered, the argument "it requires a manager user so it doesn't matter" suddenly loses a lot of its merits. Some things are an "acceptable risk" in the context of a manager, but SQL injections and code execution vulnerabilities are not acceptable anywhere in my eyes.

            With the vulnerabilities fixed in Revolution 2.5.2, we saw it took 3 or 4 different vulnerabilities combined in order to successfully attack a site. Independently these vulnerabilities weren't critical, but together they became a perfect storm.
              Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

              Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.
              • 30023
              • 172 Posts
              Quote from: mrhaw at Nov 28, 2016, 05:25 PM
              I think it sucks that my post got censored on an open source forum.

              Your post got "censored", as you put it, for one reason only, and as stated on the Clipper forum. Rather than privately message the developers (this has happened on other occasions and in both directions i.e. from MODx to Clipper and from Clipper to MODx) you posted the 'vulnerability' publicly.

              Regardless of whether you think an issue is genuine, security issues should not be posted publicly for I hope obvious reasons.

              This was stated clearly before. Any posts describing possible vulnerabilities (and bearing in mind that often we don't know at the time whether they are real or not, so this applies to any such posts) may be removed or edited by admins on the Clipper forum. This also applies regardless of whether or not the issues are deemed by you, me, or anyone else, to be 'public', because should they be real no one with a Clipper site is likely to want their existence promoting.

              -- Tim.


              Edit: This is not the first time this has been said http://www.clippercms.com/forum/viewtopic.php?id=68
              "As with any software project, we'd also appreciate if such information came privately - as would people with sites running MODx/Clipper. That way we can release a fix before the hackers get to know about the issue!" [ed. note: TimGS last edited this post 7 years, 4 months ago.]
                • 30023
                • 172 Posts
                Quote from: markh at Nov 29, 2016, 03:06 AM
                If at some point in time an authentication bypass, or unauthenticated SQL injection vulnerability is discovered...

                That misrepresents the situation's reality.

                -- Tim.
                  • 30023
                  • 172 Posts
                  Quote from: mrhaw at Nov 28, 2016, 05:25 PM
                  It seems as Curesec was rejected a dialogue by ClipperCMS and blame user / messenger mentality.

                  If you mean that Clipper developers 'rejected' a dialogue, we haven't.

                  We considered the issues at the time and addressed the genuine issues. We were not offered any dialogue by Curesec to reject. I have more recently contacted them.

                  -- Tim.

                  Edit: They did send an email; sorry I'd forgotten about that. [ed. note: TimGS last edited this post 7 years, 3 months ago.]
                    • 30023
                    • 172 Posts
                    Quote from: markh at Nov 29, 2016, 03:06 AM
                    If at some point in time an authentication bypass, or unauthenticated SQL injection vulnerability is discovered...

                    To elaborate (slightly), the (pre-Clipper) coding is indeed poor, but if you can exploit the issue, then you don't actually need to exploit the issue - there would be easier and much more obvious ways to achieve malicious ends. That is the point that has been made before and is being made again.

                    Some things are an "acceptable risk" in the context of a manager...

                    Depending on the context, I agree, and in this specific context, yes, although the point is really that there isn't an identified increased risk due to these specific issues. Fixing them would not reduce the risk at all, and as such it does not seem a good use of time.

                    I don't feel the need to say any more than that.

                    -- Tim.
                    [ed. note: TimGS last edited this post 7 years, 4 months ago.]
                    • I haven't looked into the disclosures or the ClipperCMS code to assess their merit or risk, but when you and other ClipperCMS representatives post that "These sort of 'security disclosures' are quite irritating", calling them nothing but FUD, there's one thing you're not doing: instilling trust in other people that you are in fact on top of security and that issues have been fixed. That's when people take it upon themselves to share information, because the official channels haven't.

                      If the issues have been fixed, great, go spread that message instead of blaming it on FUD.

                      If they haven't been fixed because your assessment of the issues indicates the reports are invalid, then as a project maintainer that is of course your decision to make. I would like to encourage you to fix them anyway as you can't be sure they wont be abused unless they're resolved. In my earlier post I tried to give an example of why in my opinion manager authentication is not sufficient protection against vulnerabilities. Those examples may not be applicable today, but you don't know what will happen tomorrow or the day after.
                        Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

                        Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.