-
- 41 Posts
thanks for the link for Evo. assuming Revo is ok since nothing is in the security forums about it.
disagree, this isn't a bug report but a widely reported public issue (over 2 days now).
-
- 1,145 Posts
Quote from: iusemodx this kind of thing can cause widespread panic and misunderstanding
where? to whom?
TinymceWrapper: Complete back/frontend content solution.
Harden your MODX site by
passwording your three main folders:
core, manager, connectors and renaming your
assets (thank me later!)
5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
There's a 2.5.4 update for Revolution that includes the various phpmailer security fixes that came out over the past two weeks. I've personally not been able of exploiting the vulnerabilities in phpmailer in my own testing, but I'm not a security expert/experienced hacker, so update to be on the safe side.
At any rate, the phpmailer vulnerabilities were only triggered by sending an email (e.g. from a contact form or something like that), where the visitor would fill in the Sender email. So in situations where an email is spoofed to be from another email so the site owner can easily reply to it. That Sender email wasn't properly sanitised causing the RCE vulnerability.
-
- 24,544 Posts
AFAIK, MODX sanitizes all post data on every request, so it's possible that the vulnerability doesn't affect MODX.
-
- 64 Posts
So, can you confirm that this phpmailer vulnerability was no problem in MODX in combination with formit as formit sanitizes all data before processing?
-
- 24,544 Posts
No, like Mark, I'm not really qualified to guarantee that the code is not hackable. I would upgrade to the current version.