-
- 327 Posts
We’ve many ModX installations on our server, so even though we have register_global=off which meant there was never any danger, as a quick fix yesterday I ran the following command (from root), just to deny any access to the file (without deleting it for now, just until it was confirmed it is not needed).
find . -name "snippet.reflect.php" -exec chmod 0000 '{}' \;
We should now be able to remove them all with:
find . -name "snippet.reflect.php" -exec rm -f '{}' \;
Thought I’d pass it on in case it is useful to anyone.
Author:
ManagerManager plugin - customise your ModX manager interface
Rckt - web development, Sheffield, UK
-
- 107 Posts
Yes, it’s the same.
It’s trying to run it’s own PHP-code on your server. The file
http://www.tecfedericotaylor.edu.gt/gif/prc.gif contains PHP-code. (Try save as, and give it the extension txt instead of gif to see it.)
This particular script seems to only gather and show info about the server, others do a lot more harm, like installing backdoors, adding MODx pages, etc.
MODx snippet-glossary 101:
Ditto = Content Lister -- Wayfinder == Menu Builder -- Jot = Comment Control
-
- 107 Posts
That security warning is a bit weird. If you try to save the gif-file as a txt-file and look at the code. (And know a little bit PHP). You’ll see that the only thing it does is gather and show information.
Obviously it can be used for some bad stuff by including it in the reflect-snippet. But in itself I see no way that it could harm you, unless you put it up on your webserver and let other people access it...
MODx snippet-glossary 101:
Ditto = Content Lister -- Wayfinder == Menu Builder -- Jot = Comment Control
-
- 177 Posts
The logs for one of my sites show hundreds of requests for the reflect script starting on Sunday around 5pm MT and continuing regularly through this morning (39 hours). I have renamed the reflect file for now. Apache access log indicates codes 500, 200 and 404 for the attempts on the reflect file. The error log is filled with notices and warnings of undefined variables, properties of non-objects and failures to open streams. The 200 means OK and has me digging deeper into what has been happening. My website file counts and file sizes all appear to be in order so far after an initial inspection. More to come...
-
- 1,611 Posts
It’s always seemed like a bad idea to me to ship snippet code (which is only intended to be copied and pasted into the Manager) with a .php extension. I think that this practice should be discontinued entirely. If these files are shipped with .txt extensions then there’d be no need to study and resolve possible security implications of running them independently (a context in which they were never intended to be used).
This example also demonstrates the utter folly of trying to keep your server secure while leaving register_globals set to ON. If you do this, then you should expect to be hacked at some point, since defending against every possible XSS attack while running any complex application like MODx is extremely difficult. Just changing that one setting in your .htaccess or php.ini file will allow you to sleep much better at night and spend your time doing more productive or enjoyable things.
If you have register_globals set to OFF then you are not vulnerable to this attack or any similar XSS attack.
