Published:2009/01/09  Last Updated:2009/01/09

JVN#72630020
MODx vulnerable to SQL injection

Overview

MODx, an open source contents management system, contains a SQL injection vulnerability.

Products Affected

  • MODx 0.9.6.2 and earlier

Description

MODx, an open source contents management system, contains a SQL injection vulnerability in the MODx Control Panel.

Impact

A remote attacker could obtain administrative privileges of MODx.

Solution

Update the Software
Apply the latest update provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.01.09

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication Priviledged - a particular login or set there of is required (root, bin, etc.)
  • Low
User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity Low-Medium - some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Medium-High

Description of each analysis measures

Credit

Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2008-5940
JVN iPedia JVNDB-2009-000005

Update History