Re: Critical Security Measure

Thanks for the kind words identity. To me, register globals being on is like a testosterone-soaked 17-year-old boy in a room full of inebriated naked girls doing ecstasy and telling him to remember his parents would instruct him to just sit there and ignore everything around him. Something’s definitely going to happen despite the "rules".

Oh yeah, and why NOT keep this topic on the run by moving it from one topic to another. That keeps the DOCUMENTATION shell game so much more interesting!

I’m confused. eagleshout, clearly you’re upset and lashing out. This was not a personal or vindictive attack against you. In fact, I invite you to explore the exploit reports on any other open source project at Secunia and compare them to the number reported for MODx: http://secunia.com/search/ It happens to every single project, and for almost all of them, considerably more frequently.

No, sounds more like the original poster was confused. And angry, although my personal opinion is that the anger was directed at the wrong target.

However, it might be a good idea to prominently offer the link for subscribing to the security mailing list on the main download pages, both for the current "stable" release and the beta and preview page. A lot of people will just go there without ever reading forums or anything else.

That’s a great and productive suggestion Susan. Thanks! (update now done)

Quote from: eagleshout at Nov 09, 2006, 02:51 AM

FORTUNATELY the sites that ModX was installed on were testing sites because I had two sites defaced in 24 hours. Where’s the documentation that could have prevented this . . . nested in the forums!!!!

Point well taken eagleshout. The documentation needs to be more prominent and organized. That’s one of the reasons there’s been a Wiki project in the works. If you have a better idea how to present essential information like this, please share it with the team.

Quote from: eagleshout at Nov 09, 2006, 02:51 AM

Here’s an excerpt from my hosting company which had the sense to monitor the email injection permitted by ModX and stop it after only a few minutes:

Correction -- MODx itself did nothing in regards to your mail injection. A 3rd party package which is included with MODx had a vulnerability that allowed a malicious hacker to upload files to your server. For that the MODx team should (and does) take responsibility for not auditing 3rd party code that we distribute. You on the other hand may want to ask your hosting company why register_globals was turned on for your PHP install to enable this situation?

Quote from: eagleshout at Nov 09, 2006, 02:51 AM

The SCRIPT vulnerabilty referred to here was in ModX . . . yes even after the install was deleted.

See my comment above again. In context, what you’re saying is simply inaccurate. I understand you’re upset (and rightfully so), but let’s not paint with too broad of a brush here, shall we?

Quote from: eagleshout at Nov 09, 2006, 02:51 AM

When is ModX going to stop calling itself a "CMS" or even a "development platform" and get real!!!! You folks are obviously leading others down the path of death and destruction with your BS.

Wow. I don’t even know what to say. I am going to assume that emotion got the better of you and you let loose in our direction. Otherwise, if you really talk like that in your every day life, well I am going to assume that perhaps your future lies in....let’s say....less professional fields.

Quote from: eagleshout at Nov 09, 2006, 02:51 AM

Oh yeah, and why NOT keep this topic on the run by moving it from one topic to another. That keeps the DOCUMENTATION shell game so much more interesting!

Are you implying that the MODx admin deliberately hid this information from people? Sorry, your random capitalization throws my context parsing out of whack. Not sure where you’re going with that anyway....

BTW I find it interesting that your signature is a quote from Lorca. Didn’t he also say "Besides black art, there is only automation and mechanization"? And that’s what we’re dealing with here my friend -- automation and mechanization, Mistakes will and do happen. You can choose to be constructive and communicative in these issues, or you can choose to vent and alienate people. Your choice.

oh, to be a 17-year-old boy again

Hey, I’d settle for being a 47-year-old girl again!

well, to each his or her own

I am no security expert, but I talked to my Host about them turning off register_globals by default, and they told me that I could accomplish turning it off by placing the following in my main .htaccess file:

"php_flag register_globals off"

Will this suffice? phpinfo() is reporting that it is off at the local level and on at the master level. If this works, it seems like a pretty easy fix to have everyone do anytime they freshly install MODx.

That will do the job nicely. Unfortunately most shared hosting doesn’t allow that.