Mark Hamstra

Я благодарен всем, кто способствовал в получении этих уязвимостей фиксированных. Если официальный анонс должен получить другое имя добавил, что мы пропустили, пожалуйста, дайте мне знать, и я постараюсь, чтобы заставить кого-то обновить, что.
///---///
I'm thankful to everyone that contributed into getting these vulnerabilities fixed. If the official announcement should get another name added that we missed, please let me know and I'll try to get someone to update that.

Да, это одно из исправлений xPDO. Разработчики должны еще убедиться, что ввод данных пользователем продезинфицировать, хотя.
///---///
Yes, that's one of the xPDO fixes. Developers should still make sure user input is sanitised though.

The download count might be cached, it was on 1 download for a while :P

Хорошо пятнистый;), который выпускает исправления все проблемы, мы знаем прочь. Быстрый объявление выходит в ближайшее время, полное объявление с более подробной информации о том, что было исправлено будет выходить завтра или в ближайшие несколько дней.

Как вы, вероятно, может себе представить, что это критическое обновление каждый должен установить как можно скорее. Пожалуйста, дайте нам знать, если github.com/modxcms/revolution/issues есть какие-либо новые ошибки, или security@modx.com новых вопросов безопасности.

/// — ///

Well spotted ;) That releases fixes all issues we're aware off. A quick announcement is going out shortly, a full announcement with more details on what has been fixed will be going out tomorrow or the next few days.

As you can probably imagine, this is a critical update everyone should install as soon as possible. Please let us know at github.com/modxcms/revolution/issues if there are any new bugs, or security@modx.com for new security issues.

Я понимаю, что вы знаете о различных уязвимостей. Мы исправили несколько прямо сейчас. Не могли бы вы, пожалуйста, напишите security@modx.com с вашей информацией, чтобы мы могли быть уверены, что MODX безопасен снова? Спасибо!

— I understand you know about the different vulnerabilities. We've fixed a few now. Could you please email security@modx.com with your information so we can be sure MODX is secure again? Thank you!

Hopefully he will give the security team another chance! It is hard to communicate sometimes, but we all want to make MODX better. We're not perfect.

The security@modx.com email should be used for security issues. That way we can discuss it and prepare a patch privately, make sure it fixes the problem, and also prepare communication around it when a release is made available. I'm all for transparency and using github to vote for regular features, but security issues should not be public right away. ;)

Just for the record, I don't work for the company MODX. I used to work for them, but have been independent for 3 years now.

I am part of the security team and core integrators on the MODX project though. So if anyone from the Russian-speaking community would like to discuss project related things with me, I am more than happy to work with them.

I thanked them for responsibly sending us information about the vulnerabilities discussed here. Nikolai sent an email to security@modx.com which led to the discovery of SQL injections. Changing the table prefix is not a sufficient fix, I agree. Bezumkin also reached out to Jason privately to investigate another vulnerability.

With all respect to Ryan, he's not a developer and not the person to talk to for security issues. That's why there is security@modx.com, as that has the integrators and other MODX team members.

We took too long to respond to your initial email, and I'm sorry for that. Maybe we need to set up new policies on who handles reports in what way to make sure that doesn't happen, but talking to Ryan is not the same as alerting core developers about critical issues.

As I also posted on the other thread, please email security related issues to security@modx.com. For this case there is already a pull request that Jason has merged and is working on further, but please always email security@modx.com with details on possible vulnerabilities. It's not always clear what is happening right away, so we need enough information to reproduce and fix any security related issue.

Definitely a problem of communication! I managed to confirm one issue you emailed about last week, but did not realise there were other issues that made everything worse. Sorry it took so long to get our full attention.

I've managed to read the entire thread using Google Translate, but I have not found details on the actual vulnerabilities and proof of concepts. There's a lot of discussion and some pointers to code, but that's not enough for us to reproduce the problems and solve them.

It's good that steps to hack a site are not posted publicly, but we do need that information via security@modx.com so we can fix it as soon as possible. If it's in Russian we can use google translate, as long as we get the information we need to solve it.

If you have information about how these vulnerabilities work, please email that to security@modx.com. We're working on fixing vulnerabilities, but don't have all the information yet.

I've just finished reading through the comments and wanted to add one thing: please email security@modx.com with details of vulnerabilities!

Earlier today Jason got information that made it clear there are serious vulnerabilities and he has been working on fixing them since, and as member of the security team he asked me to help as well. Thanks to help from people like Nikolay and Bezumkin we've found and fixed some issues, but we still don't have all the information about how some of the things discussed in the comments work. So please, if you have any details or proof of concepts of attacks, please email those to security@modx.com so we can make MODX safer and release an update soon.