-
- 141 Posts
Hmmm!!! Probably not the best thing to be posting here. Still, I took a look at the exploit script. From what I can tell it would not affect sites which use an advanced install and rename certain directories. Is this correct?
Glyn Szasz
Sydney, Australia
Happy to help (when can) and happy to learn
If you are a Sydney based MODX developer would love to hear from you. Please contact me.
-
- 1,145 Posts
Yes. Very simple simple way to avoid certain hazardous exploits.
Please people, rename these folders ASAP
ASSETS
CONNECTORS
MANAGER
Password-protect CONNECTORS AND MANAGER AND CORE
And remove CORE from web access
[ed. note: donshakespeare last edited this post 5 years, 9 months ago.]
TinymceWrapper: Complete back/frontend content solution.
Harden your MODX site by
passwording your three main folders:
core, manager, connectors and renaming your
assets (thank me later!)
5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
discuss.answer
Yes, that exploits what was fixed in MODX 2.6.5 and Gallery 1.7.1. The exploit has been making the rounds and is actively being used, so updating now is critical if you haven't.
Renaming/locking down the folders is an optional hardening procedure that can buy you a little time against the automated attacks going around, but should NOT be seen as adequate security against these vulnerabilities. Only upgrading keeps you safe.
Quote from: glynszasz at Jul 24, 2018, 04:36 AMHmmm!!! Probably not the best thing to be posting here. Still, I took a look at the exploit script. From what I can tell it would not affect sites which use an advanced install and rename certain directories. Is this correct?
If you use Gallery, that will be is in the same location 99.9% of the time, even in an advanced installation where core/connectors/manager are all renamed. Renaming the connectors directory buys you some time from that PoC and naive exploits, but if you get targetted it's NOT going to keep you safe. Always upgrade.
-
- 1,145 Posts
Here is what a MODX Expert has reported. He runs a huge enterprise at
https://modx.pro/
@bezumkin
No one my site was hacked because of this simple Nginx rule:
Works for years...
location ~* ^/(manager|core|connectors)/ {
auth_basic "Restricted Access";
auth_basic_user_file /home/yourlogin/.htpasswd;
try_files $uri $uri/ @rewrite;
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass backend-yourlogin;
}
}
He has passworded those three folders. As for Gallery Extra ... another story.
And if you use Apache, use its own method.
TinymceWrapper: Complete back/frontend content solution.
Harden your MODX site by
passwording your three main folders:
core, manager, connectors and renaming your
assets (thank me later!)
5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.
-
- 141 Posts
@donshakespeare
How would you apply this Nginx solution to a Apache server. Is it just a matter of editing .htaccess? If so what should be written?
Glyn Szasz
Sydney, Australia
Happy to help (when can) and happy to learn
If you are a Sydney based MODX developer would love to hear from you. Please contact me.
-
- 1,145 Posts
If you are using cPanel or some other server manager, there should be a visual way for you to do that.
OR
Apache config file? for multiple folders
See
https://serverfault.com/questions/476443/apache-authentication-for-multiple-directories
Or use .htaccess per directory
http://www.htaccesstools.com/articles/password-protection/
Note, this will not help against faulty Extras in the Assets folder. Just update those ones or delete them
TinymceWrapper: Complete back/frontend content solution.
Harden your MODX site by
passwording your three main folders:
core, manager, connectors and renaming your
assets (thank me later!)
5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.