<![CDATA[ After blocking forgot manager password plugin exploit -- change passwords?

<![CDATA[ After blocking forgot manager password plugin exploit -- change passwords? - My Forums]]> https://forums.modx.com/thread/?thread=80768 <![CDATA[Re: After blocking forgot manager password plugin exploit -- change passwords?]]> https://forums.modx.com/thread/80768/after-blocking-forgot-manager-plugin-exploit----change-passwords#dis-post-446883
In the grand scheme of things you are probably OK. An attacker would have to have known about the issue, the exact exploit, and targeted your website. This is extremely unlikely.

I do know the details of this exploit, by virtue of being involved with another project. I'm not going to post them publicly though, because there are likely to be sites that have not yet been fixed. Sorry, this does mean I'm going to be vague about what an attacker could have found out, and under what conditions.

If I had a site that had sensitive data stored, I may well take some steps to cover my back e.g. make password changes now. For most sites though, this would be over cautious - but as per usual just make sure you have backups of everything, just in case you have to reinstate anything later.

-- Tim.

]]> TimGS Dec 12, 2012, 11:09 AM https://forums.modx.com/thread/80768/after-blocking-forgot-manager-plugin-exploit----change-passwords#dis-post-446883 <![CDATA[Re: After blocking forgot manager password plugin exploit -- change passwords?]]> https://forums.modx.com/thread/80768/after-blocking-forgot-manager-plugin-exploit----change-passwords#dis-post-445117
Thanks for your input -- and your participation here overall, for that matter.

Quote from: AMDbuilder at Nov 29, 2012, 11:07 AM

There is always the possibility

I just did a diff on the old vs new (patched) forgot password plugin, and reading through it, what I see (mirroring Jay's forum post and the version readme) is that the fix filtered an input, and also prevented users who had been blocked for any reason from unblocking themselves.

I'm not seeing a vector for login access to unauthorized individuals other than those who were unauthorized because they were blocked. As I have no blocked users with a working password, it seems that no passwords would need to be changed. Wonder if you -- or anyone else -- sees it similarly.

Again -- if it was just me on one site, I'd just do the PW change, but because it's a large collection of clients, I'd like to think it through before I go through the process of asking them to go through password changes if necessary. As I read it, disabling the plugin has completely closed the door even if someone had hypothetically tried the exploit before door closing. Any thoughts?]]> clareoconsulting Nov 29, 2012, 09:03 AM https://forums.modx.com/thread/80768/after-blocking-forgot-manager-plugin-exploit----change-passwords#dis-post-445117 <![CDATA[Re: After blocking forgot manager password plugin exploit -- change passwords?]]> https://forums.modx.com/thread/80768/after-blocking-forgot-manager-plugin-exploit----change-passwords#dis-post-445074 AMDbuilder Nov 29, 2012, 05:07 AM https://forums.modx.com/thread/80768/after-blocking-forgot-manager-plugin-exploit----change-passwords#dis-post-445074 <![CDATA[After blocking forgot manager password plugin exploit -- change passwords?]]> https://forums.modx.com/thread/80768/after-blocking-forgot-manager-plugin-exploit----change-passwords#dis-post-445032
Earlier today, I disabled the forgot manager password plugin as in immediate-response action for impacted sites -- quite a few -- I've installed, per solution #1 in http://forums.modx.com/thread/80701/modx-evolution-1-0-6-and-prior-unauthorized-manager-access#dis-post-444667.

As I read it, I've closed the door on this exploit. Question becomes if exploit had theoretically been used in the (~48 hours) since announcement of 1.0.7, and could continue to be used post "door closing" via a manager password acquisition in the exploit.

Thinking through possible exploits, I'm operating on the assumption that any exploit allowing access wouldn't reveal/provide manager passwords to an attacker other than through a hypothetical password reset / change.

So... If I'm able to login with an existing manager password (to turn off the plugin), does it means that an exploit didn't result in a password change, and thus, can I assume that there's no need to change the password? If it was only one site / password for me only, I'd just change it, but as there quite a few people who would be impacted by mass password changes, as they say, "inquiring mind wants to know".

Thanks in advance

]]> clareoconsulting Nov 28, 2012, 06:40 PM https://forums.modx.com/thread/80768/after-blocking-forgot-manager-plugin-exploit----change-passwords#dis-post-445032