We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
  • The XSS issue in Jot is only useable if you are using Jot. It is totally different than the AjaxSearch issue.

    And there is a big difference between the AjaxSearch issue and the in 1.0.15 fixed issues. The AjaxSearch issue needs no manager credentials – MODX Evolution was hackable out of the box with that.
      • 49185
      • 11 Posts
      I'm just repeating what I wrote already:
      Anyway, the problem with security flaws is that even small ones, which individually don't allow hacking, may form a possible attack vector in combination. So everyone not updating to 1.0.15 or at least doing the hox-fix by replacing the two files should consider its MODX installation as easy hackable.
      If you take security issues less serious, then it's your funeral. It's not that those two fixes were the only ones but only those who were critical.
        • 21144
        • 4 Posts
        1) I had about 20 ModX sites with 1.0.14 or lower. I could easily update all but two of them to 1.0.15. I was getting hacks a few times a day, but they are stopped cold, so far, with the upgrade to 1.0.15. So, I also recommend the upgrade.

        2) (Using the access log files to lookup the hack IP addresses, it seems the hacks were mostly coming from Morocco. Recently, they were phishing for Apple iTunes and Google credentials.)

        3) Looking carefully at the hack files, the hacks also involve creating a database table, sending the info, then immediately then drop-ing the table. So, I also changed the ModX manager config file to have the ModX install database user limited to SELECT, INSERT, UPDATE, DELETE, ALTER (ALTER is needed for maintaining/updating snippets in 1.0.15, which is not a good practice.) Anyway, limiting database permissions will defeat the hack, even if successful in depositing files on the server.

        4) With the permissions change two heavily forked ModX websites on 1.0.8, which are not updated, are no longer hacked either.

        5) Before 1.0.15 was available I monitored the sites with a script that keeps track of files and reports if any were added or deleted. That has been a good strategy as well to easily discover where the hack files were deposited.
          • 28173
          • 409 Posts
          For information, in my case, the update to 1.1.15 stop the attack since last month.
          • If it is finished now, then some earlier hack could have inserted an evil settings record in MODX system settings table. It is not deleted by the update but it could not be used anymore. Or you have cleaned the filesystem better during the update.
              • 28173
              • 409 Posts
              I just have cleaned my filesystem by looking this kind of files
                • 37909
                • 153 Posts
                Great! Thanks for your replies. I'm gonna update soon as possible.

                [off topic] Just one negative point when I use YAMS: problem with 1.0.15 + ManagerManager and YAMS. I have no hope YAMS be updated, so I downgrade ManagerManager to solve this issue. [/off topic]
                • goldsky searches a new maintainer for the project (https://github.com/modxcms/evolution/issues/367). Maybe you want to do that wink

                  A patch for YAMS could be found here: https://github.com/modxcms/evolution/issues/367
                    • 37909
                    • 153 Posts
                    Thanks Jako! I will test that very sooner.
                      • 9995
                      • 1,613 Posts
                      I have cloned YAMS here and added the changes for Evo 1.0.15.
                      https://github.com/fourroses666/YAMS

                      I have tested this on a YAMS installation with Evo 1.0.14 and upgraded to 1.0.15 and it WORKS!. [ed. note: fourroses666 last edited this post 9 years, 3 months ago.]
                        Evolution user, I like the back-end speed and simplicity smiley