After exhaustive mitigation of the recent security breach on modx.com, we would like to discuss the incident, provide assurance of MODX’s security architecture, and relay the changes going forward. We would like to especially thank FireHost for their invaluable assistance in helping analyze the attack and recommending next steps.
We know this incident likely led to heartburn and frustration for many, and for that we sincerely apologize. We want all MODX users to know we absolutely realize the importance of the security and integrity of the MODX web properties and our products.
We want to emphasise that nothing in the code of any core release of MODX Revolution was involved in this incident. Nor did this affect MODX Cloud in any way.
The Attack Vector
On August 29th, we quickly cleaned and locked down our server when concerned individuals on Twitter alerted us to our homepage being blank. Our analysis determined that a single vector allowed the attack to be successful. A no-longer-used, hastily deployed form for previewing a listing before submission provided access to upload executable scripts. We also removed a software stack-testing file which remained on the server, as it was susceptible to a PHP bug that could serve as a vector for a compromise or service disruption.
In many MODX environments the damage could have been much worse. However, thanks to specific architectural decisions to isolate user credentials and file downloads from the server hosting the web site, we were fortunate in the limited scope of damage. Part of the compromise involved disclosure of what the attacker mistakenly, albeit understandably, thought was critical user database table details for modx.com. Thankfully this was a restrained attack, as more damage could have been done.
MODX published several interim notices, but delayed this final debrief until we were certain of the vector(s) involved, and that we observed failed intrusion attempts. Our silence during this time was purposeful while we completed analysis and put additional protections in place.
No sensitive user information was exposed, and no backdoors into the server remain. The core product and Extras downloads hosted by MODX were never tampered with, nor do they contain any threats. That being said, we dodged a bullet.
What We Learned
As a result of this incident, we have created a formal security team, dedicated to being proactive and open, including learning from other projects and pledging to keep MODX users informed and updated. We are also monitoring the server with renewed scrutiny and frequency, and will inform the public should we discover new threats to our services or your data.
At MODX, we’re committed to not only improve the security of MODX’s internal assets and customer environments, but also to keep all users well prepared for and informed of the constantly evolving threats to all of our MODX-driven web sites and applications.