On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Environment: modx 2.5.8
    mysql 5.0.95 on a separate server accessed remotely, no known issues
    New web server: (The DESTINATION)
    php 7.1.7, no known issues
    Windows Server 2016 IIS 8.5
    old server (THE SOURCE):
    centos 6; php 5.3 modx 2.5.1.

    BUT, I am currently focused on an installation on DESTINATION and done as a fresh install of 2.5.8.

    1. What to put in web.config for "friendly URLs"? I got something out of IIS's URL rewrite and Import.
    2. What is the right mitigation for the configuration check... if it matters, the site is using running using a Active Directory domain user and its own application pool with this user set on it.

    1. Your site is vulnerable to hackers who could do a lot of damage to the site. Please make your config file read only! It is located at D:\<site directory>\www/core/config/config.inc.php

    MITIGATION: Added "Deny" on Write to core/config/config.inc.php. Windows would not let me deny modify without also including the read&execute and list.
    This satisfied the MODX check.

    Installer still present but led to this:
    1b: Core folder is accessible by web
    MODX detected that your core folder is (partially) accessible to the public. This is not recommended and a security risk. If your MODX installation is running on a Apache webserver you should at least set up the .htaccess file inside the core folder D:\<site directory>\www/core/. This can be easily done by renaming the existing ht.access example file there to .htaccess.
    MITIGATION: Want to get a 403 error for this: https://<site directory>/core/docs/changelog.txt
    MITIGATION: I tried to deny read access to core via deny read permissions. Stopped the entire manager from working. Thus I removed it.
    MITIGATION: I still have to drill through the hardening guide, but am having difficulty understanding it.

    If you setup everything correctly, browsing e.g. to the Changelog should give you a 403 (permission denied) or better a 404 (not found). If you can see the changelog there in the browser, something is still wrong and you need to reconfigure or call an expert to solve this.