donShakespeare
commented
4 years ago What version are you using? Roxy has been dropped for a while now, and I am curious how elFinder was compromised, please share.
Closed SnowCreative closed 4 years ago
donShakespeare
commented
4 years ago What version are you using? Roxy has been dropped for a while now, and I am curious how elFinder was compromised, please share.
SnowCreative
commented
4 years ago Sorry, ElFinder wasn't compromised (I didn't have that installed). It was ResponsiveFileManager. Another plugin I was using was a gateway, too (JSPlus Image Editor), which I've deleted. Basically, any plugin that has a script called "upload.php" or similar was being targeted and used to get access to the file system. I guess Roxy was just still in my installation because I've been using TinyMceWrapper for so long, and it was in the Assets directory this whole time, even after you stopped including it.
BUT, it could have been just Roxy. Files were installed in the Responsive File Manager folder, but that might have just been because the hacker already got access to the file system through Roxy, which had the most files installed in it. Checking my server logs, Roxy was the primary target.
donShakespeare
commented
4 years ago We dropped ResponsiveFileManager as well. It has been a standalone MODX plugin. Was that compromised?
SnowCreative
commented
4 years ago It's hard to say. Files were copied into that folder and accessed, but the logs show that that happened after the initial attack through Roxy. At this point, I'm going to assume that Roxy was the security hole, so without that I don't anticipate more problems.
I had one site get hacked last year. The hacker got access to the included ElFinder files. I just had another site get hacked by hackers accessing the Roxy filemanager files. I don't use either of those in MODX, so I've deleted these optional file managers from the assets folder. Thought you might want to know that this is happening.