MODX

Product: MODX Revolution Severity: Critical Versions: <=2.6.4 Vulnerability type(s): Remote Execution / File/Directory Deletion Report date: 2018-Jul-11 Fixed date: 2018-Jul-12 Description On July 11 we received notice that there are two ... [More] critical vulnerabilities that include remote script execution and file/directory removal. These issues are critical in nature. It is possible for attackers to compromise the website or deface or delete files or directories. Affected Releases All MODX Revolution releases prior to and including 2.6.4 Solutions Upgrade to MODX Revolution 2.6.5 or above. If you're on 2.6.4 you can replace the changed files included in the commits: here (can be manually updated on versions back to 2.3.0) and here (can be updated on versions back to 2.5.2). Please note, replacing files in other versions of MODX Revolution could lead to unintended consequences. It is always preferred to upgrade. Support If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the MODX Forums, find a MODX Professional or get help from the MODX Services team. Acknowledgement We would like to thank Ivan Klimchuk (Alroniks) and agel_nash for bringing these issues to our attention and verifying their resolution. Additional Information For additional information, please email MODX Support. [Less]

Product: MODX Revolution Severity: Moderate Versions: <=2.5.1 Vulnerability type: Directory Traversal / SQL Injection Report date: 2016-Nov-4 Fixed date: 2016-Nov-14 Description We received notice that there are several vulnerabilities that ... [More] include a SQL injection and directory traversal. These issues on their own are not critical in nature, however, it could be possible for determined attackers to combine vectors to compromise a site. Affected Releases All MODX Revolution releases prior to and including 2.5.1 Solutions Upgrade to MODX Revolution 2.5.2 or above. Patch available for versions 2.3.3-2.5.2 thanks to Sterc. Versions below 2.3.3 must upgrade. Support If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the MODX Forums, find a MODX Professional or get help from the MODX Services team. Acknowledgement We would like to thank [url=modxclub.ru]Nikolay Lanetshttp://modx.com/company/contact/]MODX Contact Form" target="_blank" rel="nofollow"> and Chen Ruiqi from for bringing these issues to our attention and verifying their resolution. Additional Information For additional information, please use the [url=http://modx.com/company/contact/]MODX Contact Form [Less]

Product: MODX Revolution Severity: Moderate Versions: <=2.5.1 Vulnerability type: Directory Traversal / SQL Injection Report date: 2016-Nov-4 Fixed date: 2016-Nov-14 Description We received notice that there are several vulnerabilities that ... [More] include a SQL injection and directory traversal. These issues on their own are not critical in nature, however, it could be possible for determined attackers to combine vectors to compromise a site. Affected Releases All MODX Revolution releases prior to and including 2.5.1 Solutions Upgrade to MODX Revolution 2.5.2 or above. Patch available for versions 2.3.3-2.5.2 thanks to Sterc. Versions below 2.3.3 must upgrade. Support If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the MODX Forums, find a MODX Professional or get help from the MODX Services team. Acknowledgement We would like to thank [url=modxclub.ru]Nikolay Lanetshttp://modx.com/company/contact/]MODX Contact Form" target="_blank" rel="nofollow"> and Chen Ruiqi from for bringing these issues to our attention and verifying their resolution. Additional Information For additional information, please use the [url=http://modx.com/company/contact/]MODX Contact Form [Less]

Product: MODX Evolution Risk: Very High Severity: Critical Versions: <=1.1 Vulnerability Type: Remote Code Execution Report Date: 2016-November-08 Fixed Date: 2016-November-12 Description The following components distributed with all versions of ... [More] MODX Evolution (and 0.9.x) contain a vulnerability, that allows remote code execution: Ajaxsearch, eForm and evoGallery Affected Releases All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.1 (with AjaxSearch, eForm or evoGallery installed) are affected. Solution Determine if site is compromised. Remove any malicious files or database entries. Then, upgrade to MODX Evolution 1.2 or above. See instructions below. Support If you do not know how to upgrade your site and complete the steps below to locate and remove malicious files and database entries, there are options. You can contact the developer or builder of your site, ask for help in the MODX Forums, find a MODX Professional or get help from the MODX Services team. One way to determine if your site has been compromised is a new tool called Evocheck . It can help identify malicious code in files or database. We recommend using it or a similar tool in case your site has been compromised. And even after your site is secured again, this tool can be useful to find any text/code in your installation. Please note, no detection script is perfect and exploits may change over time to hide from such detection. Cleaning and Upgrade Instructions for Compromised Installation: Logout from manager Download latest MODX 1.2 Upload package to your server via FTP, explicitly overwrite any existing file Delete file cache/siteCache.idx.php manually by hand via FTP (do NOT rely on "Clear Cache"-button inside manager), because there is a malicious Plugin likely hidden in the database that will reinfect the site Use Evocheck to check for malicious Plugins and files you wish to delete. Inside the source-code you will find strange / suspicious code seen below these instructions Remember ID of this plugin, which is probably the last added one, and use phpMyAdmin or https://www.adminer.org/ to manually delete it from table "site_plugins" IMPORTANT: Repeat steps 4 + 5 just in case changes happened meanwhile IMPORTANT: In cases the upgrade/security-fix seems not to work, there are additionally uploaded files / backdoors left on the server. Evocheck can help but still you need technical expertise to know what you are doing, i.e. using the right RegEx-terms to find malicious code. It is no one-click-solution! If your site uses eForm or AjaxSearch on your site, test their functionality as there are changes to these Extras. Samples of Malicious Code eval(base64_decode("cc6ebdef6a9f8fd3887455e23a2ec.... eval("base".128/2."_dec"."ode(.....)" IMPORTANT: Last but not least, watch your server for at least a week to assure you have already found and removed all backdoors / malicious files. NOTE A special thanks to community members pixelchutes, cipa and pbowyer for identifying the vector and yama for the resolution. And of course, everybody else involved in sorting out this compromise. [Less]

Everyone who is using MODX Evo version 1.0.12 => 1.2 RC1 should see this patch as mandatory You can read the release post here and you can download the patch here All users of Evo that have the "Extras" module installed can download the patch ... [More] directly via the module, as seen here. For those who haven't installed the patch yet, Yama from the Evo DEV team posted a security release on the 24/11/2016 (Evo 1.1.1), which can be found here If you wish to wait for the 1.2 official release feel free to do so, but at your own risk [Less]

Everyone who is using MODX Evo version 1.0.12 => 1.2 RC1 should see this patch as mandatory You can read the release post here and you can download the patch here All users of Evo that have the "Extras" module installed can download the patch ... [More] directly via the module, as seen here. If you wish to wait for the 1.2 official release feel free to do so, but at your own risk [Less]

The first patch release of MODX Revolution 2.5, 2.5.1 is now available. There are mostly small changes but of note are fixes to the Amazon S3 Media Sources and S3 Buckets with dots (.) in the name and their image previews in the file tree. There were ... [More] also two, minor potential security issues resolved. If you missed it, why not read the complete Revo 2.5 announcement. Highlights from the changelog: Fix problem with S3 bucket names containing dot characters Correctly display image preview in file tree for S3 media sources. Use sans-serif font for TV textareas Ensure Uberbar search results respect ACLs (user permissions/access) Add missing viewport meta tag needed to correctly enable responsive MODX Manager and Manager login screen E-Mail validation now supports domain extensions (gTLDs) with more than 6 characters Two security fixes to prevent reflected XSS and closing SQL injection. Important Note for TinyMCE Users We have found an issue with the widely used TinyMCE Extra (the word processor-like toolbar for MODX Resources) where you cannot load Resources after Upgrading. TinyMCE by splittingred is no longer actively maintained and we recommend choosing one of the other TinyMCE Extras for 2.5.1+. There is a one-line patch available if you want to continue using TinyMCE. Important Nearly all releases contain vital security patches. If you are using a version lower than 2.3.6 you should consider an upgrade to 2.5.1 mandatory. Security is an Ongoing Process We cannot stress how important it is to run the most current version of MODX. We are always improving security. Upgrade regularly to reduce the chance of your site getting hacked. If you need help upgrading your MODX site, let us know. Release Contributors Let’s take the time to thank the individual contributors to this release (in alphabetical order by GitHub username): achterbahn, AppChecker, Bruno17, christianseel, enigmatic, ilyautkin, Jako, labr1005, lefthandmedia, MaartenW, Mark, matdave, opengeek, OptimusCrime, pixelchutes, Realetive, Ronald, sergant210, sottwell, theboxer, thewhiterabbit, and vgrish, along with many other contributors who log & triage issues, review PRs, and commit code. The MODX Community is amazing. Get Started with Revo 2.5 Here’s what you need to get started or upgrade to MODX Revolution 2.5: Download Revolution 2.5 What’s required to run Revolution 2.5.x How to install MODX Revolution How to upgrade MODX Revolution on your site How to upgrade MODX Revolution in MODX Cloud Read the MODX Revolution Documentation Ask Not What MODX Can Do For You MODX is only as good as it is because of the many individual community members and users that take the time to report issues, request new features, and submit code to the project. Make sure you read the documentation,post feedback and share your experiences in the MODX community forums. On behalf of the entire MODX Team, We thank you! [Less]

Self-Serve SSL Installation Now Available Serving websites via HTTPS is more important today than ever, and we’ve noticed a large uptick in recent months requesting SSL: Greater trustworthiness of the website for visitors, giving visitors ... [More] greater confidence Google factors HTTPS/SSL into search rank, getting more of the right people to your site SPDY/HTTP2 decreases web page speed load times, keeping visitors more engaged Previously, the only way customers could add SSL was by submitting a ticket to our customer support system, which required back and forth over hours or days—not always as speedy as people hoped. Those days are over. Now, all users on our current plans can request CSRs and install SSL Certificates for free without requiring a support ticket, any time, without delay. 100% self-served. Installing your SSL certificate is fairly intuitive, but we have written a user guide for those who love step-by-step instructions. Not only can you install a certificate for a website, but you can also move certificates to MODX Cloud from previous hosts, move them between Cloud instances, and install them on multiple Clouds. If you’re on one of our legacy plans and want to run your site under SSL, we can help you select and move to one of our current plans, so you too can get access to self-serve SSL installs. Knowledge is Power We’ve also recently reorganized and expanded the MODX Cloud User Guide (aka Knowledge Base) to help you do more, more easily. Some of the changes include the addition of a new section called Optimizing Performance which contains articles on delivering your website faster to browsers, increasing your page speed score, adding more power to your Cloud instance, and even Private Servers in MODX Cloud. For those of you launching a new site, we’ve created a MODX Cloud Site Launch Checklist, which includes all the steps to go from development to live site including web rules, domains and more. Whether you’re new to MODX Cloud or you’ve been here a while, it’s nice to have a reference that will make sure you launch without a hitch. It’s also not a bad checklist for launching a site anywhere. Preparing for the Future We have a ton of plans for the future and look forward to bringing you more tools and locations in MODX Cloud. Let us know what you’d love to see. [Less]

MODX Revolution 2.5 is now out and brings PHP7 compatibility, ability to have faster performance for anonymous users, improved Manager interface when accessing from mobile or tablet devices, enhanced accessibility and much more. Highlights of ... [More] Revolution 2.5 MODX Revolution 2.5 continues the tradition of enhancing functionality and performance for MODX Revolution, augmenting security, and fixing a variety of bugs. The excellent new features include the following areas: Preparing for the Future MODX CMS has alway been forward thinking. We adopted PDO for database access years before others even considered it, and you could power HTML5/CSS3 mobile responsive sites with our first release in 2005, even though those technologies didn’t exist at the time. We continue this tradition with a few things that are here today, and that will be huge soon: PHP 7 compatibility (it’s coming soon to a server near you). PHP 7 performs significantly faster than any previous release before it so your sites should be able to handle more visitors and serve them more quickly, keeping them engaged and returning for more. Accessibility improvements worked into the core Manager experience including screen reader and keyboard navigation on the Login screen. The work that is going on for the Accessible Manager theme that takes this much further, works in MODX Revolution 2.5, too. Improved UX Our quest to improve end-user and developer experiences will never be over. To that point, the following areas received attention for 2.5: New default content for new installs provides helpful resources and information. Instead of the empty blank page in all previous versions of MODX Revolution, you now get a nice intro page with some important links to assist and orient new users.. Much more mobile-friendly Manager. As a stepping stone towards a new Manager in the future, this allows you to make edits and access the Manager much more easily than was possible before, thanks to the intense efforts of JP Devries. Add ability to unpack zip files in the file tree / media manager Developer Sugar Sometimes you need to create custom functionality that available MODX Extras do not address. Often this involves creating a Custom Manager Pages and interfaces inside a Component. Previously, this required a dive into the “exciting” world of ExtJS, with which most people have a loathe-hate relationship. Now, views for applications you build into the MODX Manager are much easier to create using plain old HTML/CSS and MODX Tags. A special thanks goes to Romain Tripault and Susan Ottwell for this example of the new Custom Manager Pages in 2.5. Faster Performance Google loves fast sites, as do your visitors. MODX has always been performant when serving cached pages, now it’s even more so: Parser optimizations which improve pre-caching performance. This means visitors will be served more quickly, and Google will give your site a little more respect, which it clearly deserves. The new anonymous_sessions setting (enabled by default) can significantly speed up the performance for sites that don’t need to have PHP sessions or logged in users. When this setting is disabled, and a page is fully cached, having sessionless anonymous visitors eliminates the need for a database connection for that visitor on each request. If your site serves even moderate traffic, this can significantly reduce the amount of processor required to operate. Changes in MODX Revolution 2.5 Previously created sites, currently on Revolution 2.3 or above, should work when upgrading to 2.5, but we do suggest testing on an clone of your site, first. Earlier versions may take a bit of extra effort and code updates if they use non-public APIs or directly access the database. Release Contributors Let’s take the time to thank the individual contributors to this release (in no particular order):John Peca, Jason Coward, Thomas Jakobi, Ronald Exterkate, Mike Reid, inreti, Zaigham Rana, Jan Tezner, Elizabeth, Romain, argnist, Anton Pastukhoff, Илья Уткин, Gildas NOEL, Ivan Klimchuk, JP DeVries, Kirill, Mark Hamstra, Mat Dave Jones, Nikolay Lanets, Sergey Shlokov, and Vasily Naumkin, along with many other contributors who log & triage issues, review PRs, and commit code. The MODX Community is Amazing. Get Started with Revolution 2.5 Here’s what you need to get started or upgrade to MODX Revolution 2.5: Download Revolution 2.5 Test it out for free in MODX Cloud What’s required to run Revolution 2.5 How to install MODX Revolution How to upgrade MODX Revolution on your site Read the MODX Revolution Documentation It Takes a Global Village MODX is only as good as it is because of the many individual community members and users, from around the world, who take the time to report issues, request new features, and submit code to the project. Make sure you read the documentation,post feedback and share your experiences in the MODX community forums. On behalf of the entire MODX Team, We thank you! [Less]

We’ve worked diligently to improve the MODX Cloud platform, both behind the scenes and—more importantly—for all of its users. The New Add-ons Tab The biggest visible change is the new Add-ons tab for each MODX Cloud instance. This gives you ... [More] access to additional features for each Cloud: Request SSL for increased security and visitor trust, and to boost your SEO, Order our Managed Cloud service, so you never have to worry about monitoring or maintaining your site at all, and Adding server resources (PHP Workers) for higher traffic or more complex sites. With this change, we’ve also moved enabling custom domains, installing phpMyAdmin and requesting Compass/Sass/Node.js to the Add-ons tab in the Dashboard. Most Add-ons currently submit a ticket for our team to implement, but we’re rolling out automation one-by-one. Look for additional available upgrades in the coming months. Accessible Manager Preview The MODX a11y project, likewise overdue an update, now has a preview available in MODX Cloud. Navigating the entire Manager via a keyboard, and being able to use screen readers and other assistive devices with the Manager will open MODX to everyone. You can find a preview in the Public Snapshots tab under the main Snapshots menu item, and it can be injected into existing instances in MODX Cloud. More for Less with Custom Domains One of our key goals in MODX Cloud is to streamline what it takes to create, launch and maintain your sites. Now, you can add up to 25 domains to every Cloud instance for one low price: $5/Cloud per month ($10 on Basic plans). Previously the same price would have only given you to 5 URLS, with 25 costing double. If you need even more, open a ticket and we’ll take care of you. SSL for Everyone Running a website under SSL is more important than ever for many reasons, including appeasing Google’s search ranking algorithm and serving sites more quickly with lower overhead. As a result, we decided everyone should be able to have a secure site, with no additional costs. SSL is now available at all plan levels, including Basic. Need a certificate installed today? Just open a ticket and we’ll be happy to assist. We’re close to releasing a more automated way to add SSL to your Clouds. Look for self-serve SSL certificate installation in the near future, and free SSL certificates after Let’s Encrypt comes out of beta. Other Notable Improvements In addition to the main items above, we’ve made some other improvements in MODX Cloud: The MODX Cloud user guide and knowledge base now lives in our Zendesk Help Center. You can search our KB articles straight from the Dashboard help widget, and open a ticket if you don’t find the answer you need. Need to grab a file you accidentally deleted a few days ago? Now it’s a whole lot easier: restore a backup into another Cloud instance straight from your main Backups tab in the MODX Cloud Dashboard. Added latest version of MODX Revolution (2.4.4). Updated to latest nginx and PHP. And finally, we were able to make faster nightly backups. Faster is better, right? We look forward to continue to bring you the tools you need to create, launch and maintain amazing websites easier, faster and with less hassle than ever before. [Less]