On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Some potential CSRF (Cross Site Request Forgery) vulnerabilities that require a valid manager session were identified in MODx and earlier versions and as a result, a new security feature to help protect your content managers from these types of attacks has been introduced with the release of

    CSRF Potential
    Details of the kinds of attacks these vulnerabilities make possible are available in the associated bug report: #MODX-206.

    HTTP_REFERER Solution
    To prevent a majority of these kinds of attacks, there is now a new option that can be manually enabled in the manager configuration entitled Validate HTTP_REFERER headers? (under Tools --> Configuration :: Site tab, at the very bottom). This new option activates a check to ensure requests are originating from the same domain as the site, and prevents access to critical manager actions by direct URL or linked from other locations. If you are concerned that your content managers may be easily tricked into clicking URLs on malicious sites that link back to their own MODx manager, taking unintended actions like deleting users or documents in the process, we highly recommend turning this feature on.

    Please note that this option may not work in some environments, so you’ll want to be prepared to disable this option if it prevents the manager from working at all. In case this occurs and you are unable to set the option off in the manager once you turn it on, you’ll need to have access to the database and be able to edit the assets/cache/siteCache.idx.php file. In the database, you’ll need to edit the row in the system_settings table with setting_name = ’validate_referer’ to have a value of ’0’ and edit that setting in siteCache.idx.php the same way, changing the line
    $c['validate_referer'] = "1";
    $c['validate_referer'] = "0";

    Also note this does not prevent all CSRF attacks, but will address a majority of the more common (and less sophisticated) types. Additional security enhancements are being developed to close these attack vectors completely.

    This discussion is closed to further replies. Keep calm and carry on.