Modx Exploit

24,544 Posts

BobRay Reply #11, 5 years, 8 months ago

@Himurovich How does that affect snippets and plugins that have to read from and write to those directories?

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

185 Posts

Anton Tarasov Reply #12, 5 years, 8 months ago

Quote from: BobRay at Aug 10, 2018, 02:22 AM

@Himurovich How does that affect snippets and plugins that have to read from and write to those directories?

Hi Bob,
I'm afraid that I misunderstood your question .. if so please specify. But answering this - well, nohow as this is only protection from "outside"
Of course not a silver bullet as Mark said above, just additional complexity for bad guys/bots I believe.

Anton Tarasov
MODX Developer

Email: [email protected]
Web: antontarasov.com

1,145 Posts

donshakespeare Reply #13, 5 years, 8 months ago

Pardon my imperfect lingo.
The snippets and plugins would have the same rights as MODX PHP, and all run as normally once web access session has begun by successful logging in.

Now, if you are not there, that is, not logged in, all scripts would fail - and that's what we want, because it is either a hacker or a badly written frontend Extra overreaching and poke-nosing in the mgr sections.

This is my own experience in a fully working site.

TinymceWrapper: Complete back/frontend content solution.
Harden your MODX site by passwording your three main folders: core, manager, connectors and renaming your assets (thank me later!)
5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.

24,544 Posts

BobRay Reply #14, 5 years, 8 months ago

I was thinking about the current version of UpgradeMODX, which writes a script to the root, then launches it. The script runs outside of MODX.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

1,145 Posts

donshakespeare Reply #15, 5 years, 8 months ago

I remember making a promise to test that ... will get to it ASAP.
It would be a bummer if there were any hiccups.

But I imagined since the user would be running it from within MODX (that is, after having logged in), a session would be supplied to the browser to allow access to those protected folders.
I am assuming that the session being browser-wide would accommodate any script working within or without MODX.

Unless "The script runs outside of MODX." completely eludes me.

TinymceWrapper: Complete back/frontend content solution.
Harden your MODX site by passwording your three main folders: core, manager, connectors and renaming your assets (thank me later!)
5 ways to sniff / hack your own sites; even with renamed/hidden folders, burst them all up, to see how secure you are not.

24,544 Posts

BobRay Reply #16, 5 years, 8 months ago

It's a new request and everyone is logged out, so if the session is tied to a user, it's probably gone, but if it's still alive in the browser, things should be good. There's also a separate launch of setup using JS replace().

FYI, you can set back the settings_version System Setting to an earlier version (doesn't have to exist) and "Upgrade" to your current version.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

463 Posts

chrisandy Reply #17, 5 years, 8 months ago

Just wondering if anyone had the chance to test this yet? Just not been able to find the time myself but would be interested to know.

Web site design in Nottingham UK by Chris Fickling http://www.chrisficklingdesign.co.uk

Answered Modx Exploit