Some potential CSRF (Cross Site Request Forgery) vulnerabilities that require a valid manager session were identified in MODx 0.9.6.1-p2 and earlier versions and as a result, a new security feature to help protect your content managers from these types of attacks has been introduced with the release of 0.9.6.2
Details of the kinds of attacks these vulnerabilities make possible are available in the associated bug report: #MODX-206
To prevent a majority of these kinds of attacks, there is now a new option that can be manually enabled
in the manager configuration entitled Validate HTTP_REFERER headers? (under Tools --> Configuration :: Site tab, at the very bottom)
. This new option activates a check to ensure requests are originating from the same domain as the site, and prevents access to critical manager actions by direct URL or linked from other locations. If you are concerned that your content managers may be easily tricked into clicking URLs on malicious sites that link back to their own MODx manager, taking unintended actions like deleting users or documents in the process, we highly recommend turning this feature on.
Please note that this option may not work in some environments
, so you’ll want to be prepared to disable this option if it prevents the manager from working at all. In case this occurs and you are unable to set the option off in the manager once you turn it on, you’ll need to have access to the database and be able to edit the assets/cache/siteCache.idx.php file. In the database, you’ll need to edit the row in the system_settings table with setting_name = ’validate_referer’ to have a value of ’0’ and edit that setting in siteCache.idx.php the same way, changing the line
$c['validate_referer'] = "1";
$c['validate_referer'] = "0";
Also note this does not prevent all CSRF attacks, but will address a majority of the more common (and less sophisticated) types. Additional security enhancements are being developed to close these attack vectors completely.