[Snip - removed by forum administrator. Security vulnerabilities - real or imagined - should not be posted publicly]
This probably affects EVO as well!?
Last edited by mrhaw (2015-11-15 01:31:24)
I think this has been addressed before. All but one of these items begins with a note that you need a user account to implement the hacks. That is, more a matter of trust than of security. Every power socket in my house is extremely dangerous by these standards - any idiot with a screwdriver can remove the faceplace and stick their finger on a live wire.
I haven't been around for a while, but I noticed this crop up on the manager news feed of a client's site. These sort of 'security disclosures' are quite irritating. FUD.
AFAIK, all these 'vulnerabilities' require backend user access, except perhaps one (the description is unclear) which doesn't actually relate to core code.
1. If a malicious user has the sort of privileges mentioned here, then they can seriously mess things up anyway, just by using the manager in the way it is intended to be used. For example one of these 'vulnerabilities' included in the description "An account with the role "Publisher" or "Administrator" is needed to exploit each of these vulnerabilities." I'm sorry, but any 'vulnerability' that requires such privileges is not a vulnerability. Both publishers and administrators have the power to cause havoc on a site just by virtue of their roles (obviously).
I'm pretty much mirroring what KP says here.
I'll also add for clarification, that (as per previously published information) any manager user, regardless of role, should be a trusted person. I don't know MODx's position, if any, on this is, but that is what has been said before regarding ClipperCMS. It's quite simple, if you don't trust someone, don't give them any backend access.
2. Posting such things on a public forum is irresponsible. Either you realise that most if not all of this is invalid, in which case this is all a waste of time at best and further FUD at worst, or you believe them to be genuine. If the latter, a private message or email would be far more appropriate.
3. This is not the first time this has happened.