Security-fix 1.0.12 - 1.2 RC1

[Dmi3yy]

http://extras.evolution-cms.com/packages/core/security-fix.html fast solution for fix.

[Deesen]

Why not in core? Needs testing first?

[Dmi3yy]

Already in core Its fast fix for users. Who want's wait 1.2 releases

Отправлено с iPhone

11 нояб. 2016 г., в 12:44, Deesen notifications@github.com написал(а):

Why not in core? Needs testing first?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[Nicola1971]

is there a security issue? in 1.1?

[pbowyer]

Yep, and further back. This looks to be related to the hacking we've experienced the last week. Thanks @dmi3yy

[Deesen]

Ah ok I thought it was related to https://github.com/modxcms/evolution/pull/918 and yama´s comment in skype. Thanks for info & fix!

[Eoler]

Well, this is interesting - thanks for the contribution. Ain't bears really fancy this autumn...?

[nick0]

Thankyou @dmi3yy.

Please confirm... If updating from 1.0.15, is there a later full public (non beta) release (1.1??) with this fix built in? Or is this still in development? In which case I will just use the patch for now. Thanks.

[Dmi3yy]

Fix for version 1.0.12 - 1.2 rc1 1.1 have bug

Отправлено с iPhone

12 нояб. 2016 г., в 03:14, nick0 notifications@github.com написал(а):

Thankyou @dmi3yy.

Please confirm... If updating from 1.0.15, is there a later full public (non beta) release (1.1??) with this fix built in? Or is this still in development? In which can I will just use the patch for now. Thanks.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[Deesen]

And shouldn´t we add this info to security-feed in Dashboard? Last one mentioned is 1.0.13 from 2014.

[esszett]

@dmi3yy your comment

… 1.1 have bug

makes me nervous - may I ask you to give me a brief hint where these bugs are located? I'm currently finishing a project on 1.1 and would be happy to be prepared … just in case. I thank you!

[Dmi3yy]

https://github.com/extras-evolution/security-fix

Or in extrass.

Upload this files and all be fine

Отправлено с iPhone

14 нояб. 2016 г., в 00:38, esszett notifications@github.com написал(а):

@dmi3yy your comment

… 1.1 have bug makes me nervous - may I ask you to give me a brief hint where these bugs are located? I'm currently finishing a project on 1.1 and would be happy to be prepared … just in case. I thank you!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[modxuser]

@ All

I have released a security post referencing this patch in the MODX forum, it can be found here

[Nicola1971]

@modxuser thanks a lot. Can you add some instructions to fix with extras modules? It's a faster and easy way to fix the issue and avoid a lot of "hacked site" posts on forum.

[Deesen]

@modxuser Thanks, your post already appears in the security feed. Just for interest: Does the feed display the forum-threads, or did MODX LLC update the feed acc. to your post? Do you know?

[modxuser]

@Deesen I'm not sure, but I didn't inform the LLC, so I presume once a post is made in the security section it is automatically displayed in the feed.

@Nicola1971 Sorry, but i'm not sure I understand - what extras modules ?

You could provide the text yourself and I can post it in the forum, if that helps

[Eoler]

I'm not sure, but I didn't inform the LLC, so I presume once a post is made in the security section it is automatically displayed in the feed.

So we can spam all MODX Evolution installations out there with a single forum post? Pure genius!

[modxuser]

@Eoler Simple answer = NO

[Eoler]

Simple answer = NO

Ok, good for them (and us).

[Nicola1971]

@modxuser

@Nicola1971 Sorry, but i'm not sure I understand - what extras modules ?

Evolution 1.1 users can install the security patch directly from the Manager, using the Extras Module (previously called "Store" module). You can find the patch in Extras > Core (categories) or just typing "fix" in the Extras module search form:

[modxuser]

Ah ok. But that only involves those who have that installed, for example, I don't LOL

I don't think we need to add that to the forum, it's now here and this page is linked to via the forum security post

[fourroses666]

Shouldn't it be Security patch for Evolution 1.0.x - 1.2RC1 ?

Can't harm to post an other fast way to close the leaks I think. Or just a line with; The security fix can also be downloaded by the Extra's Module.

[modxuser]

The forum post has been updated, referencing the "Extras" module and linked to @Nicola1971 post

[pixelchutes]

Does the recommended patch properly protect against partially escaped payloads?

REDACTED

I tested with the protect.inc.php from security-fix repo, but was still seeing exposure vs. when comparing to protect.inc.php from #918 ?

[Cipa]

I was just testing this and it seems like it's not

$values = array(
    '[[]]',
    '[\[\]\]',
    '[/[]/]',
    "\[\[\]\]\/",
    '\[\[test]]',
    '\[\[\test\]\]',
    '[\[Ditto?parents=`0`]\]'
);

array (size=7)
  0 => string 'sanitize_seed_6lei5gouwesck8kkk408cwk88[sanitize_seed_6lei5gouwesck8kkk408cwk88[sanitize_seed_6lei5gouwesck8kkk408cwk88sanitize_seed_6lei5gouwesck8kkk408cwk88]sanitize_seed_6lei5gouwesck8kkk408cwk88]sanitize_seed_6lei5gouwesck8kkk408cwk88' (length=238)
  1 => string '[\[\]\]' (length=7)
  2 => string '[/[]/]' (length=6)
  3 => string '\[\[\]\]\/' (length=10)
  4 => string '\[\[testsanitize_seed_6lei5gouwesck8kkk408cwk88]sanitize_seed_6lei5gouwesck8kkk408cwk88]sanitize_seed_6lei5gouwesck8kkk408cwk88' (length=127)
  5 => string '\[\[\test\]\]' (length=13)
  6 => string '[\[Ditto?parents=`0`]\]' (length=23)

[pixelchutes]

Thanks, @Cipa. Confirmed here, too. I can reproduce a few scenarios as well

REDACTED

[Cipa]

Anyone knows why [\[Ditto?parents=0]\] would be executed later on/detected as valid snippet? Are the \ removed?

[nick0]

Thanks for the further testing @pixelchutes and @Cipa. Does this mean there are more files needing updating for the patch?

[nick0]

I didn't know about the "Extras module". Nice Is this it here, called the Package Manager? http://extras.evolution-cms.com/packages/utilityi/packagemanager.html If so, I think the forum post needs updating because "Extras" module does not exist under that name

[pmfx]

No. Package Manager is this https://github.com/Jako/PackageManager and you can download "Extras" (or "Store") module here http://extras.evolution-cms.com/download.html

[nick0]

Ah gotcha. Thanks for confirming that. Got it

[Nicola1971]

@dmi3yy, I think we need to fix this name confusion in extras module:

• if the new name is "extras" ' the folder under assets/modules/ should be extras, not store.
• the title in module page should be the same

[Dmi3yy]

Ok

Отправлено с iPhone

16 нояб. 2016 г., в 01:25, Nicola notifications@github.com написал(а):

@dmi3yy, I think we need to fix this name confusion in extras module:

if the new name is "extras" ' the folder under assets/modules/ should be extras, not store. the title in module page should be the same — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[nick0]

Great idea. ps can you also please include install instructions with the "Extras" package - I am not sure what to put in the "Module code" area when creating the module in Evo. Thanks.

[tweezy-au]

I noticed that the eform snippet is included in the patch.

In my installation (Evo 1.0.14) the snippet is stored in the database (Manage Elements - Snippets - eForm), so should I replace that with the new contents of snippet.eform.php?

[nick0]

One of the developers could probably confirm this tweezy-au but what I did for eform was... via ftp: overwrite the existing eform files with those in the patch in Evo: change the number in the eform snippet description to 1.4.7

[pbowyer]

Good catch @pixelchutes and @Cipa.

Are these partially-escaped issues specific to eForm, or could an attacker craft input to Evo that exploits them? To put it another way: is eForm the security problem?

[signalfeuer]

I applied the hotfix yesterday at 17:36pm – today at 8:05am my modx website got hacked! :-( MODX Evolution 1.0.15

Edit: It seems that the project was hacked a few days before. There is a file "js-min.php" uploaded into "/assets/media" (09.11.2016) - could be the "door-opener"!?

[pbowyer]

@signalfeuer that is the door in. You will also have one of your plugins (stored in the database) commented out and code appended to it, which needs removing.

This query found it for me:

SELECT * FROM modx_site_plugins WHERE plugincode LIKE '%base64%'

[yama]

Thanks, @pixelchutes https://forums.modx.com/messages/ I sent a PM to you on the forum

[signalfeuer]

@pbowyer Thanks. The corrupt plugin was "TransAlias".

[pbowyer]

@signalfeuer It's a different plugin on every install :)

The code that's injected, once decoded looks like: https://gist.github.com/pbowyer/0cf7b45502cc9a0d2144cfe4ffd4afdd. It's pretty smart, and I haven't understood what it's doing with the SQL injection.

[Nicola1971]

same here: found 3 files in assets media:

• askimet.php
• cacheplugin.php
• js-min.php

and 2 files in root:

• amaps.xml
• maps.xml

and 1 file in assets

• wp-conns.php

The infected plugin was an old disabled plugin, with code commented and some base64 code added

[yama]

By executing the modx_sanitize_gpc function unconditionally, we can solve this vulnerability. However, we need to understand that eForm has two points of vulnerability. Although it is not talked about here, there is another one.

[yama]

It is also important to note that three snippets that can execute the php eval function within a snippet call are included in the package.

[pixelchutes]

The hot fix posted yesterday is not enough.

@pbowyer I don't have reason to believe it would be limited to eForm (hopefully I'm wrong), but it would seem any user input would also need to be globally sanitized for escaped MODX tags, especially if returning user input to the user (but definitely not limited to that.)

[modxuser]

What does the hack actually do ?

Other than files on the server, how do you know that you have been hacked via this hack ? Is there front-end code / spam / links etc.

[pbowyer]

@modxuser run the database query above to see if they've injected code into a plugin. The file uploaded (js-min.php for me) gives good access to the server, so that alone is compromise enough.

[Nicola1971]

try to share a post on google+ :D and you will see seems redirect urls to display content from another site

[Nicola1971]

example: this is a post on Google+ of one of my italian customers site Hacked:

of course, the chinese content is not coming from the customer's site :)

[modxuser]

Thanks for the info - yet again, this proves that back-ups are essential

Tested a few sites using 1.0.15 => 1.1, all OK - I have back-ups of all my sites anyway (offline), so just a short hinderance if they do get hacked.

Will this hopefully be fully sorted (as noted by @yama ) with the forthcoming 1.2 release ?