We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 36816
    • 109 Posts

    Earlier today, I disabled the forgot manager password plugin as in immediate-response action for impacted sites -- quite a few -- I've installed, per solution #1 in http://forums.modx.com/thread/80701/modx-evolution-1-0-6-and-prior-unauthorized-manager-access#dis-post-444667.

    As I read it, I've closed the door on this exploit. Question becomes if exploit had theoretically been used in the (~48 hours) since announcement of 1.0.7, and could continue to be used post "door closing" via a manager password acquisition in the exploit.

    Thinking through possible exploits, I'm operating on the assumption that any exploit allowing access wouldn't reveal/provide manager passwords to an attacker other than through a hypothetical password reset / change.

    So... If I'm able to login with an existing manager password (to turn off the plugin), does it means that an exploit didn't result in a password change, and thus, can I assume that there's no need to change the password? If it was only one site / password for me only, I'd just change it, but as there quite a few people who would be impacted by mass password changes, as they say, "inquiring mind wants to know".

    Thanks in advance

    [ed. note: clareoconsulting last edited this post 11 years, 4 months ago.]
    • There is always the possibility, however in the grand scheme of things you are likely fine. The biggest thing is someone would need to specifically target your site with the exploit.
        Patrick | Server Wrangler
        About Me: Website | TweetsMODX Hosting
        • 36816
        • 109 Posts
        Greetings Patrick,

        Thanks for your input -- and your participation here overall, for that matter.

        Quote from: AMDbuilder at Nov 29, 2012, 11:07 AM
        There is always the possibility

        I just did a diff on the old vs new (patched) forgot password plugin, and reading through it, what I see (mirroring Jay's forum post and the version readme) is that the fix filtered an input, and also prevented users who had been blocked for any reason from unblocking themselves.

        I'm not seeing a vector for login access to unauthorized individuals other than those who were unauthorized because they were blocked. As I have no blocked users with a working password, it seems that no passwords would need to be changed. Wonder if you -- or anyone else -- sees it similarly.

        Again -- if it was just me on one site, I'd just do the PW change, but because it's a large collection of clients, I'd like to think it through before I go through the process of asking them to go through password changes if necessary. As I read it, disabling the plugin has completely closed the door even if someone had hypothetically tried the exploit before door closing. Any thoughts?
          • 30023
          • 172 Posts
          AMDbuilder is right.

          In the grand scheme of things you are probably OK. An attacker would have to have known about the issue, the exact exploit, and targeted your website. This is extremely unlikely.

          I do know the details of this exploit, by virtue of being involved with another project. I'm not going to post them publicly though, because there are likely to be sites that have not yet been fixed. Sorry, this does mean I'm going to be vague about what an attacker could have found out, and under what conditions.

          If I had a site that had sensitive data stored, I may well take some steps to cover my back e.g. make password changes now. For most sites though, this would be over cautious - but as per usual just make sure you have backups of everything, just in case you have to reinstate anything later.

          -- Tim.