Mark Hamstra

Mark Hamstra

Был в сети 17 марта 2018, 16:39
Заказы не принимаю
Я благодарен всем, кто способствовал в получении этих уязвимостей фиксированных. Если официальный анонс должен получить другое имя добавил, что мы пропустили, пожалуйста, дайте мне знать, и я постараюсь, чтобы заставить кого-то обновить, что.
///---///
I'm thankful to everyone that contributed into getting these vulnerabilities fixed. If the official announcement should get another name added that we missed, please let me know and I'll try to get someone to update that.
Хорошо пятнистый;), который выпускает исправления все проблемы, мы знаем прочь. Быстрый объявление выходит в ближайшее время, полное объявление с более подробной информации о том, что было исправлено будет выходить завтра или в ближайшие несколько дней.

Как вы, вероятно, может себе представить, что это критическое обновление каждый должен установить как можно скорее. Пожалуйста, дайте нам знать, если
github.com/modxcms/revolution/issues есть какие-либо новые ошибки, или security@modx.com новых вопросов безопасности.

/// — ///

Well spotted ;) That releases fixes all issues we're aware off. A quick announcement is going out shortly, a full announcement with more details on what has been fixed will be going out tomorrow or the next few days.

As you can probably imagine, this is a critical update everyone should install as soon as possible. Please let us know at github.com/modxcms/revolution/issues if there are any new bugs, or security@modx.com for new security issues.
Я понимаю, что вы знаете о различных уязвимостей. Мы исправили несколько прямо сейчас. Не могли бы вы, пожалуйста, напишите security@modx.com с вашей информацией, чтобы мы могли быть уверены, что MODX безопасен снова? Спасибо!

— I understand you know about the different vulnerabilities. We've fixed a few now. Could you please email security@modx.com with your information so we can be sure MODX is secure again? Thank you!
With all respect to Ryan, he's not a developer and not the person to talk to for security issues. That's why there is security@modx.com, as that has the integrators and other MODX team members.

We took too long to respond to your initial email, and I'm sorry for that. Maybe we need to set up new policies on who handles reports in what way to make sure that doesn't happen, but talking to Ryan is not the same as alerting core developers about critical issues.
As I also posted on the other thread, please email security related issues to security@modx.com. For this case there is already a pull request that Jason has merged and is working on further, but please always email security@modx.com with details on possible vulnerabilities. It's not always clear what is happening right away, so we need enough information to reproduce and fix any security related issue.
I've managed to read the entire thread using Google Translate, but I have not found details on the actual vulnerabilities and proof of concepts. There's a lot of discussion and some pointers to code, but that's not enough for us to reproduce the problems and solve them.

It's good that steps to hack a site are not posted publicly, but we do need that information via security@modx.com so we can fix it as soon as possible. If it's in Russian we can use google translate, as long as we get the information we need to solve it.
I've just finished reading through the comments and wanted to add one thing: please email security@modx.com with details of vulnerabilities!

Earlier today Jason got information that made it clear there are serious vulnerabilities and he has been working on fixing them since, and as member of the security team he asked me to help as well. Thanks to help from people like Nikolay and Bezumkin we've found and fixed some issues, but we still don't have all the information about how some of the things discussed in the comments work. So please, if you have any details or proof of concepts of attacks, please email those to security@modx.com so we can make MODX safer and release an update soon.