|
[Japanese]
|
JVNDB-2009-000004
|
MODx cross-site request forgery vulnerability
|
|
MODx, an open source contents management system, contains a cross-site request forgery vulnerability.
Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
Base Metrics:
2.6 (Low)
[IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
MODx
- MODx 0.9.6.1p2 and earlier
|
|
A remote attacker may modify contents managed by MODx if the user views a malicious web page while logged in to MODx.
|
|
[Update the software and change the configuration]
Apply the latest update provided by the developer and change the configuration as follows.
* After logging into the MODx administrative page, change the Referer check configuration to [Yes], which is [No] by default.
[Workarounds]
Users can mitigate this vulnerability by applying the following workarounds.
* Do not click untrusted URL's while logged into MODx administrative page.
* Log out immediately once the administrative operation is completed.
For more information, refer to the information provided by the developer.
|
|
MODx
|
|
- JVN : JVN#66828183
- National Vulnerability Database (NVD) : CVE-2008-5941
- Common Vulnerabilities and Exposures (CVE) : CVE-2008-5941
- Common Weakness Enumeration (CWE) : Cross-Site Request Forgery (CWE-352) [IPA Evaluation]
- JVN iPedia (Japanese) : JVNDB-2009-000004
|
|
[2009/01/09]
Web page published
|
|
| 2009/01/09 |
| 2009/01/09 |
| 2009/01/09 |
|
