On Wednesday August 29, a hacker exploited a Local File Inclusion (LFI) vector in an older release of MODX Revolution we had running on one of our servers. This issue had already been fixed as part of the MODX Revolution 2.2.4 release. We locked down the site while we investigated the compromise.
Yes, one of the MODX web properties was not up to date and this was
really not smart. We got burned, and this is our mea culpa. We have upgraded our websites to 2.2.4, changed all passwords related to our internal infrastructure, and set new policies going forward.
Your Passwords are Safe
No passwords or hashed passwords were disclosed. MODX does not store passwords on the affected websites by design (see Update 2 below), using a custom SSO application hosted on an external, secure server. Passwords are hashed and salted multiple times, with unique salts per user. Despite no access to passwords being disclosed, you may consider changing any non-unique passwords used across multiple websites.
We’re Sorry
We sincerely and profusely apologize for any inconvenience our lapse in diligence caused. We promise to do our utmost to be proactive going forward, taking every step we can to ensure we do not repeat this in the future.
Please Upgrade Your Sites
Security requires constantly staying on top of your websites; it’s an ongoing process and not a destination. As with any software, it’s important to to keep up to date when new updates come out. Upgrade your sites to the latest MODX versions when they’re released—no excuses.
Update 1: We clarified wording to accurately reflect that the actual passwords/hashed passwords were not disclosed.
Update 2: Further clarification that the user table field shared publicly by the culprit does not contain any passwords (we repurposed the field). It does contain:
- Salts not used by our SSO
- "cachepwd" (also not used by our SSO) which expires within minutes of creation.
[ed. note: smashingred last edited this post 11 years, 7 months ago.]
MODX Staff