We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
  • On Wednesday August 29, a hacker exploited a Local File Inclusion (LFI) vector in an older release of MODX Revolution we had running on one of our servers. This issue had already been fixed as part of the MODX Revolution 2.2.4 release. We locked down the site while we investigated the compromise.

    Yes, one of the MODX web properties was not up to date and this was really not smart. We got burned, and this is our mea culpa. We have upgraded our websites to 2.2.4, changed all passwords related to our internal infrastructure, and set new policies going forward.

    Your Passwords are Safe

    No passwords or hashed passwords were disclosed. MODX does not store passwords on the affected websites by design (see Update 2 below), using a custom SSO application hosted on an external, secure server. Passwords are hashed and salted multiple times, with unique salts per user. Despite no access to passwords being disclosed, you may consider changing any non-unique passwords used across multiple websites.

    We’re Sorry

    We sincerely and profusely apologize for any inconvenience our lapse in diligence caused. We promise to do our utmost to be proactive going forward, taking every step we can to ensure we do not repeat this in the future.

    Please Upgrade Your Sites

    Security requires constantly staying on top of your websites; it’s an ongoing process and not a destination. As with any software, it’s important to to keep up to date when new updates come out. Upgrade your sites to the latest MODX versions when they’re released—no excuses.

    Update 1: We clarified wording to accurately reflect that the actual passwords/hashed passwords were not disclosed.

    Update 2: Further clarification that the user table field shared publicly by the culprit does not contain any passwords (we repurposed the field). It does contain:

    • Salts not used by our SSO
    • "cachepwd" (also not used by our SSO) which expires within minutes of creation.
    [ed. note: smashingred last edited this post 11 years, 9 months ago.]
      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub

    This discussion is closed to further replies. Keep calm and carry on.