The security risk is for all releases of MODX Evolution prior to 1.0.14 and you should quickly update any site that is running any prior releases. The Ajax Search vulnerability is real, and is still attacking sites. It's just a matter of time before yours are hit, especially if any of them are on the same server. They'll all get hit at once.
So, to answer your question, yes the current release of MODX 1.0.14 is safe. Anything prior to that is not unless Ajax Search is not installed.
I'd also encourage you to visit developing the site in Revolution. There's not a whole lot that Evo offers that overshadows what Revo can do for you plus a lot of other benefits most find very beneficial. Yes it's a little faster than Revo but you can actually do things faster and easier in Revo so the speed of the manager ends up being a wash in my opinion. The fact that you have to set every resource to "continue editing" is only one cumbersome problem solved in Revo, and one that I find to be irritating as heck. The package manager is also a major time saver. Speed of manager reloads if I have to re-open every resource's edit tab after save if I forget to reset it to continue editing means Revo wins hands down on just that one single point. I really miss some of the basics like quick update and create, versionX, drag and drop in the tree, and a whole lot of other things every time I work in Evo as well.
-
- 27 Posts
Thank you for your reply, Frogabog!
As a temporary solution (before upgrading) - could I disable or delete Ajax Search and which files/folders should I change/delete?
Thank you!
You're welcome!
Yes, but you have to delete all the Ajax Search files as well. See
http://forums.modx.com/thread/91390/important-update-to-ajaxsearch-exploit-in-evo-1-0-13-and-prior
Have... fun? :~}
-
- 27 Posts
Hi Frogabog, thank you for reply. I always have fun - I'm that kind of girl.
So here is what I've done (on a site that doesn't use AjaxSearch):
- removed index-ajax.php
- removed folder assets/snippet/ajaxSearch
- removed snippet AjaxSearch through manager
That's ok, right?
One thing is not clear to me: AjaxSearch is a part of the MODX package so I always installed it together.
I downloaded AjaxSearch 1.10.1-pl2 zip from the MODX site, but it doesn't contain index-ajax.php (and install instructions don't mention it at all).
When I installed MODX 1.0.14 with AjaxSearch checked index-ajax.php was there?? How to install AjaxSearch ver 1.10.1 on an old site (1.0.5) and if a index-ajax.php file is part of it where is it?
Thanks,
Lina
The index-ajax.php file is part of the evolution "core" and not part of the ajaxSearch extra. I would NOT recommend updating ajaxSearch independently of Evolution. There are numerous vulnerabilities addressed in the releases leading up to 1.0.14.
Simply upgrading ajaxSearch will not protect your site, it will only possibly close one of the more prominent attack vectors. There are multiple other vulnerabilities.
You should review the changelog (
https://github.com/modxcms/evolution/blob/bugfix/install/changelog.txt) for a list of bug fixes, security, etc.
The better question is what reason could you have for running a vulnerable MODX version?