Follow

08/02/17: Modx Revolution (CMS) PHPSESSID/User SQL Injection Information Disclosure | Security Bulletin

Threat Summary

Overview

There are two time-based blind SQL injections in the CMS Modx. The first is exploitable through the session ID supplied by the user; this issue can be exploited without authentication. The second SQL injection vector requires authentication and can be exploited through a request to ‘/connector/security/message.php’ in the user parameter. This issue allows an attacker to retrieve information from the database which could allow them to eventually compromise the server.

Exploitation

Stages

  1. Remote unauthenticated attacker sends a request to ‘/manager/index.php’ with a crafted PHPSESSID in the cookie header.
  2. The server sends the crafted PHPSESSID value to the MySQL database to be processed.
  3. The server returns the information the attacker requested, such as a password dump.

Prerequisites

None

Vulnerability Description

There are two time-based blind SQL injections in the CMS Modx. The first is exploitable through the session ID supplied by the user.  This issue can be exploited without authentication and is caused by a lack of validation in the file ‘modsessionhandler.class.php’.

The second SQL injection vector requires authentication and can be exploited through a request to ‘/connector/security/message.php’ in the user parameter. This is caused by a lack of input validation in the file ‘core/model/modx/processors/security/message/create.php’. This issue allows an attacker to retrieve information from the database which could allow them to eventually compromise the server.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Recommendations for Mitigation

  • Update the plugin to a non- vulnerable version > 2.1.77.
  • Check User permissions. Ensure only you and your trusted team members have administrator access to the site.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.