OK, so once again I will offer a humble apology to anyone offended by my vitriol. It was . . . shall we say . . . way over the top?!?!
I was very frustrated to have this happen twice in such a short span and the fact that it only happened to sites with ModX installed (I have other cms’s installed as well on other domains,) well, it really ticked me off, I’m sorry for my insensitive comments. And, for those reading (or having read my earlier comment) with the raised eyebrow one might employ while listening to a crazed lunatic, I realize I should have checked the globals situation.
OK, now I’d like to respond to some of the questions and suggestions raised by others:
Quote from: rthrash at Nov 09, 2006, 03:40 AM
eagleshout,
I’m sorry that your sites were compromised. I’ll personally take full responsibility for including the code from an outside source without a full audit ...
How should we have handled it to your satisfaction? Security is of critical importance to this project and clearly we are equally as concerned as you are about notification?
I’m confused. eagleshout, clearly you’re upset and lashing out.
@rthrash: THANK YOU for taking responsibility. I realize it wasn’t your fault or anyone in particular
at ModX, but just hearing that an audit of outside code might have prevented this is refreshing. I’ve had some concerns from the beginning regarding this policy and have raised a few questions about stuff in the respository that is, more or less, "branded" as a ModX worthy module. I’m not sure what the current procedure is for third party code, but maybe the dev team would consider a more stringent submission procedure. And, since one of my peeves is documentation, maybe a stricter policy could be part of the criteria for repository submissions.
Quote from: sottwell at Nov 09, 2006, 04:53 AM
However, it might be a good idea to prominently offer the link for subscribing to the security mailing list on the main download pages, both for the current "stable" release and the beta and preview page. A lot of people will just go there without ever reading forums or anything else.
As for the communication of this particular situation I would have welcomed an email that such a "critical" measure was released. Especially since my first exploit happened Nov. 7 - not long after most of the chatter in this topic.
I’m not a forum lurker. Typically, I only visit the forums when I need to or if I’m notified that a watched topic has been updated. AS USUAL, @sotwell offered sound advice here, but I might add that something as critical as this might have warranted an email blast to all active forum members. I don’t know maybe that’s overkill. But certainly I will be subscribing to the security list from now on.
Quote from: identity at Nov 09, 2006, 04:24 AM
XSS, form injection, mysql injection, unfortunately, this is the world we are now living in. Even a straight html/cgi form is open to exploits.
Yeah, even my host recommended I use their standard script instead of the one exploited - better the devil you know than the one you don’t.
Quote from: vbrilon at Nov 09, 2006, 05:29 AM
Wow. I don’t even know what to say. I am going to assume that emotion got the better of you and you let loose in our direction. Otherwise, if you really talk like that in your every day life, well I am going to assume that perhaps your future lies in....let’s say....less professional fields.
Are you implying that the MODx admin deliberately hid this information from people? Sorry, your random capitalization throws my context parsing out of whack. Not sure where you’re going with that anyway....
No, I wasn’t implying the thread move(s) were intentional, but it was on the move while I was trying to post and as stated earlier, the "documentation conundrum" has been a peeve of mine for many months. I’m glad the wiki is finally in place.
Anyway, thanks to those who had the discrimination to disregard my raging testosterone while extending your wisdom.