-
- 136 Posts
Thanks for the heads up, I just checked and thankfully i have globals off.
Globals off, php running suExec so I don’t have to have anything at all with world-writable permissions were things I looked for in hosting.
Just another reminder, my personal sites were hit with over 200 attempts to exploit this vulnerability in the last 24 hrs and they are still at it; luckily I help run my own server and we configured the box with register globals = off, so not a one of the attempts has been or will be successful.
Regardless, I want to reiterate how critical it is that you patch or remove the mcpuk resource browser if you have register_globals=On; I personally would remove it completely for now unless you specifically need it for the sites’ editors to use. If you do remove it, don’t forget to disable the resource browser in your configuration, so the FCKEditor or TinyMCE can still be used despite the lack of the resource browser.
If you have been hit already, it’s best to clean out the entire file system in your account and load clean files back in. That or you are going to need to search through the file system very thoroughly to make sure there are not any files left by the intruder that may cause further damage in the future, or allow further exploits to occur.
Finally, after initial reviews of all the various security exploits involving FredCKEditor, I’m simply uncertain whether additional unidentified vulnerabilities exist in the mcpuk resource browser code currently integrated into MODx, and considering the nature of the exploit, I wouldn’t take any chances until we announce an official new release of the/a resource browser, especially if you are unsure whether your server is properly secured against these types of attacks.
-
- 7,075 Posts
I have several french users reporting they failed to see the announcement in time to avoid being hacked (note that I posted a sticky in the french Announcement board, with a how to check their register_global settings). I have been repeatedly asked that we send out a message via the SMF messaging system for example. I am not sure this is the way to go and will ask that they subscribe to the Annoucement forum instead.
Maybe a dedicated Security board to which users could subscribe would be even easier. Not sure which way is the best, but I am here so often I don’t have the same perspective the average user will have.
.: COO - Commerce Guys - Community Driven Innovation :.
MODx est l'outil id
-
- 254 Posts
I thought the same and I plan to add a rss feed from this forum in the manager welcome page tomorrow.
-
- 228 Posts
One of the things I was impressed with at Drupal and have been amazed that more scripts, opensource as well as commercial, don’t have a security mailing list. When the XSS vulnerabilities were hitting like crazy a few weeks back, even though I wasn’t using most of the Drupal modules that I was receiving alerts for, I would much rather get an email with the module name in the subject line that I could easily delete versus not hearing anything without visiting the site and hoping to see a message.
The nice thing is, if you have a separate subscribable mailing list just for security notices, they will standout and grab the attention they deserve. And after all, this is an area that you probably can’t be too proactive about.
|
Identity Developments delivers SEO focused web design and web presence services
- it's not about websites, it's about your identity. |
-
- 228 Posts
Great... well, hopefully it won’t be needed much, but nice knowing it’s there.
|
Identity Developments delivers SEO focused web design and web presence services
- it's not about websites, it's about your identity. |
-
- 34 Posts
Well, I just uploaded modx-0.9.2.1.tar.gz and unpacked it. By the time I had added the patch the site had been successfully hacked again. >:(
Looks like I’ll have to unpack it locally and make the changes including the removal of the entire mcpuk directory before repacking and uploading. What a pain :’(
☆ A M B ☆
MODX Staff
