Jul 05, 2009, 01:23 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
Search via SMF or Google: modx forums all of modxcms.com web
  MODxCMS.com   Forums   Help Login Register  
News:Donate to MODx: Donations
MODx Community Forums » Announcements » Security Notices » CVE-2007-5371 not a vulnerability, or how I learned to stop worrying & love FUD
Pages: [1]   Go Down
« Previous topic Next topic »
  Send this topic  |  Print  
Author Topic: CVE-2007-5371 not a vulnerability, or how I learned to stop worrying & love FUD  (Read 11986 times)
0 Members and 1 Guest are viewing this topic.
OpenGeek
MODx Co-Founder
Foundation
*
Posts: 5,813


damn accurate caricatures...


WWW
« on: Oct 14, 2007, 12:25 PM »
FYI:

A number of MODx users have contacted me in regards to the posting of a MODx vulnerability from bugtraq, that is now showing up in two prominent vulnerability databases as CVE-2007-5371 and BID 25983:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5371
http://www.securityfocus.com/bid/25983

We were never contacted by the poster, and after extensive analysis on our side, this vulnerability has been found to be 100% inaccurate; in fact, I believe it to be deliberate FUD.  No attack vectors have been posted; securityfocus.com actually describes the exploit as "Attackers can use a browser to exploit these issues", with no additional information.  The original post describing the supposed exploit is just as informative:

http://www.securityfocus.com/archive/1/481870/30/0/threaded

I have posted replies to that thread (all of which have been moderated out) and contacted both securityfocus.com and mitre.org contesting the publishing of this wholly inaccurate report.  All attempts (by me) to contact these groups, whom have been very responsive in the past, have been ignored as far as I can tell.  However, another MODx team member's response was published on the bugtraq thread (see the response at http://www.securityfocus.com/archive/1/482096/30/0/threaded), and they did indicate that after further review, the exploit required administrative privileges, and that they would be retiring the BID as a result.  But this is still inaccurate, as even when logged in, I can find absolutely no way to inject SQL via the specified variables.  Considering that all MODx requests are scrubbed to minimize the potential for these attacks, and the file in question is not accessible directly, I firmly maintain that this is a totally bogus report posted by someone with ulterior motives (or an unfortunate lack of internet security knowledge).

Unfortunately, 0-day security sites are going to report false vulnerabilities; that's the nature of the beast.  And all I can do for now is keep you informed and up-to-date on the reported issue, hopefully dispelling the FUD this report has generated in the process.
Logged
Jason Coward
MODx Co-Founder
xPDO Founder
CTO @ Collabpad
work productively.
work intelligently.
work together.
Light is just a vibration of a note too. Everything is. You've got to keep that in mind.
  Frank Zappa
Pages: [1]   Go Up
  Send this topic  |  Print  
« Previous topic Next topic »
 
Jump to:  

Powered by MySQL Powered by PHP

Copyright © 2005-2008 MODxCMS, All rights reserved. Contact Us
Styles by ziworks.com

Powered by SMF | SMF © 2006-2008, Simple Machines LLC

Valid XHTML 1.0! Valid CSS!