Security Notices - MODX Community https://community.modx.com/c/announcements/security-notices/26 Topics in the 'Security Notices' category This is a subcategory of Announcements for Security Notices. Older security notices can be found in the archived MODX Forums. Fri, 22 Nov 2024 21:57:00 +0000 MODX Login Extra PHP Object Injection Vulnerability Security Notices Overview
  • Project: Login Extra
  • CVE ID: CVE-2024-55039 (pending)
  • Affected Versions: 1.5.2 through 1.9.13
  • Fixed Version: 1.9.14
  • Release Date: 2024-11-22
  • Severity: Critical
  • CVSS v4.0 Score: 9.4
  • CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Details

Type

Remote Code Execution (RCE) via PHP Object Injection

Description

A critical vulnerability has been identified in the MODX Login Extra that allows arbitrary PHP code execution through PHP Object Injection. The vulnerability stems from unsafe deserialization of user-supplied data using PHP’s unserialize() function without proper sanitization.

Attack Vector

An authenticated user, regardless of their permission level, can exploit this vulnerability by submitting specially crafted data through the Login form. The vulnerability can be triggered when:

  1. The system processes user input through the Login form
  2. The malicious payload is passed to the unsafe unserialize() function
  3. The resulting PHP object injection leads to arbitrary code execution

Affected Systems

The vulnerability affects MODX Revolution installations that meet ALL of the following criteria:

  1. Have the Login Extra installed (versions 1.5.2 to 1.9.13)
  2. Have a web-accessible login form using the Login Extra
  3. Allow user authentication

Note: Systems with Registration forms using the Login Extra may be particularly vulnerable if user validation is not required.

Mitigation

Immediate Update Required: Upgrade Login Extra to version 1.9.14 or later using the MODX Extras Installer in your MODX Revolution Projects.

Technical Details

The vulnerability exists due to:

  • Unsafe usage of PHP’s unserialize() function
  • Lack of input validation before deserialization
  • Insufficient permission checking in the login process

Credits

Timeline

  • Discovery Date: 2024-11-22
  • Fix Development: 2024-11-22
  • Public Disclosure: 2024-11-22

References

Revision History

  • 2024-11-22: Initial advisory publication

2 posts - 1 participant

Read full topic

]]> https://community.modx.com/t/modx-login-extra-php-object-injection-vulnerability/8174 Fri, 22 Nov 2024 21:57:00 +0000 No Yes No community.modx.com-topic-8174 MODX Login Extra PHP Object Injection Vulnerability MODX setup/ Directory Site Exploit Security Notices Product: MODX Revolution
Severity: Critical
Versions: <=2.7.0
Vulnerability type(s): Site Exploit
Date Published: 2019-04-01

Issue
There is currently an active exploit of sites with an intact MODX Revolution setup/ directory. This can give anyone on the internet complete access to your site and possibly your server with trivial effort. This directory should never be left in place once a site is installed.

Check Your Site
You can check if your site is vulnerable by entering your site URL with a /setup/ added at the end, for example:
https://www.example.com/setup/

What to Do
If you see a MODX installation utility, you should log into your server via FTP or SSH immediately, and remove this directory. If your site is working as expected, your site may be safe, but please review the additional information below.

Why it Matters
Using the MODX installation script above, a malicious individual can re-install MODX and point to any database they wish including remote databases. Once a site is “re-installed” they can then use the Manager’s file manager to upload other back door files to your server. This can potentially lead to more severe issues such as having the entire server rootkitted, setting up spam mailers, or uploading crypto miners to take advantage of computing resources on your server.

If Your Site Has Been Compromised
If your site has been compromised or is not working correctly, and the setup folder per the above was in place, you must first re-connect your site to the correct database and server. Ask your web host or sysadmin to reset your database password and give you the new database credentials. Once you have those, update the MODX config file—by default located at core/config/config.inc.php—with the correct settings.

Keep Up with Updates
You should also upgrade your MODX version to the latest production release (currently 2.7.1) and upgrade all Extras if they are not current. Keeping up with updates is critical to maintaining a secure site, as it plays a key role in helping prevent sites from compromise.

Malware Scanning
Finally, you should run a malware scanner to make sure other exploits haven’t already been uploaded to your site as described above. We have a series of articles that walks you through recovering from a site compromise, which hopefully will help in this effort:

Need Help?
If your web host, developer or sysadmin is not able to help, you can open a commercial support ticket directly with MODX by visiting https://support.modx.com and clicking the blue “Submit a request” link in the header (please mention this post and provide your site URL). In order to assist we will need access to your server, most likely via your cPanel login.

1 post - 1 participant

Read full topic

]]> https://community.modx.com/t/modx-setup-directory-site-exploit/648 Wed, 24 Apr 2019 15:36:05 +0000 No No No community.modx.com-topic-648 MODX setup/ Directory Site Exploit About the Security Notices category Security Notices This is a subcategory of Announcements for Security Notices. Older security notices can be found in the archived MODX Forums.

1 post - 1 participant

Read full topic

]]> https://community.modx.com/t/about-the-security-notices-category/2264 Tue, 01 Jan 2013 05:00:00 +0000 No No No community.modx.com-topic-2264 About the Security Notices category