We've been shouting "Upgrade your sites NOW" since the patch became available...Not many people see any of these shouts. And that's a legitimate concern.
I can't answer your question directly Bobray as some had not had the core moved but had been updated and weren't touched.
Just to expand things a little further if I may: What are the traits an extra would have that would make them vulnerable to an attack like this? In other words is there a piece of code (such as core_path) we could look for in an extra, that would show it might create a vulnerability?
I'd also love to find a quicker way to password protect those directories. On shared hosting where there's no access to apache config, it's quite laborious.
As long as renaming folders does not become an excuse to wait with upgrades "because my site is safe", then that's good advice. Rename folders all you want, it is helpful to buy you a little more time, but ALWAYS keep your site and extras up to date.
We've been shouting "Upgrade your sites NOW" since the patch became available, but when people equate "now" to "at some point in the next few weeks or months when we have the time" instead of the recommended "right away", that's when the shit has a chance to hit the proverbial fan. Add that the details of the vulnerability and a proof of concept exploit became public knowledge in less than a week, and you have a recipe for the massive number of sites getting hacked.
Renaming folders would have reduced the chance of getting hit in a first blast, buying you a little more time, but it's not going to stop a targetted attacker. Take this as a learning opportunity that 1) backups matter and 2) upgrading regularly matter.
Surely your hosting should allow .htaccess ? MODX uses it for friendly URLs anyways.
Surely your hosting should allow .htaccess ? MODX uses it for friendly URLs anyways.
Yes - I'm just saying it's laborious on shared hosting, whereas with apache config it would be much quicker
I'm a bit late to the party... I was able to upgrade my site within a few days of the initial 2.6.5 announcement, before the "attack" announcement was posted. I just happened to visit the MODx forum that day, spotted the upgrade news and upgraded because I had a free moment. I definitely don't visit daily, or even weekly. Is the forum and Slack really the only ways to be notified? There used to be RSS feeds that I subscribed to, but they appear to be non-existent now. Is there no way to receive email updates of security issues currently?We've been shouting "Upgrade your sites NOW" since the patch became available...Not many people see any of these shouts. And that's a legitimate concern.
A lot of the shout happens either on Slack (where a tiny fraction of MODXers hang out) or here on the Forums, posted in places that users never see/click.
Is there no way to receive email updates of security issues currently?