We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Security issue with MACHFORM & MODx

    • 32142
    • 19 Posts
    webman Reply #1, 14 years, 7 months ago
    Hi everyone,

    If you are currently using MACHFORM within the MODX manager, with the index.php file modification, please be advise
    that your form manager is not secured at all.

    It never occurred to me previously that with this hacked method which by-passes the login system of your form,
    basically renders your form vulnerable to outside access as long as someone can stumble across the correct file name to access the manager.
    for example, I have been able to access the form manager directly by simply typing http://www.mysite.com/machform/manage_form.php
    & immediately having complete access to the manager without going through my Modx manager.

    I tried the address at different computers, different locations & the results were the same, complete access to the manager,
    basically because of the hacked index.php

    I have had Machform running for a couple of months now on my within the MODx manager, without any problems so far.
    But recently whilst browsing the site, I discovered that, I could just log directly into the form manager without "Username" or
    "Password" via direct URL pointing to the manage_form.php as the old method of getting it to run within the manager was
    basically a crude hack of the index.php file which forced the use of the formbuilder within Modx via manage_form.php

    What does this mean..???
    It means that anyone, who logs onto your site and fills out for example your contact form & receives a copy of their message
    could easily copy the URL & make some changes with the link from view.php to manage_form.php & would be able to use your form
    manager or could erase or do worse to your forms manager.....!!!!!!!!!!! Or a hacker browsing your directory could also stumble
    across your files & make use of that, or even worse situations may arise from this weakness.....!!!!!!!!!!!!!!!!!!!

    That is not such a good idea.
    So I WILL advise anyone to follow the excellent example of Susan Ottwell’s Dadamail integration with Modx to get their MACHFORM
    running from within the manager.

    In under 10 minutes I have all my MachForms running within the manager. Having to login into the form manager adds some
    measure of security for me.

    Copy exactly the same procedure as Susan did & change all links & references to suit your MACHFORM integration.
    Here is the link to Susan’s tutorial. Follow exactly the same example & just change all URL links & your MACHFORM
    should be up & running in no time at all.

    The link to Susan Ottwell’s example is here: http://modxcms.com/forums/index.php?topic=20654.0

    Thanks.

    Webman