IPA/ISEC：Vulnerabilities：Security Alert for Vulnerability in MODx

Published: April 8, 2010
>> JAPANESE

1.Overview

MODx is an open source content management system software developed by the MODx CMS Project. MODx is vulnerable to SQL Injection due to improper data processing. If exploited, information held in the MODx database could be wrongly accessed by a malicious attacker, resulting in information being leaked, altered or deleted.

For detailed information, refer to the following URL:
http://modxcms.com/forums/index.php/topic,47759.msg280304.html#msg280304

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2010-000012

The IPA first received a report concerning this vulnerability through the creditee below on November 17, 2008, and the JPCERT Coordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on April 8, 2010.
Credit: Takeshi Terada, Mitsui Bussan Secure Directions, Inc.

2.Impact

When a website created by MODx is targeted by SQL injection attacks, information held in the MODx database could be accessed by a malicious attacker, resulting in information being leaked, altered or deleted.

3.Solution

To fix this vulnerability, update the software to the fixed version provided by the product developer.

4.CVSS Severity

(1)Evaluation Result

(2) Base Score Metrics

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as "SQL Injection (CWE-89)".

Contact