MODX Community Forums - Security Notices

MODx Evo 1.0.4 (and prior) SQL Injection and Directory Traversal Vulnerabities

21257 — Fri, 28 Jan 2011 02:13:31 -0600

Status: SolvedProduct: MODx EvolutionSeverity: HighVersions: 1.0.4 and priorAdvisory Date: 2011-01-26Fixed Date: 2011-01-19Impact: a) A remote attacker may access or view arbitrary files on the server. b) A remote attacker may execute arbitrary PHP code as a result of SQL injection.DescriptionJPCERT/CC has issued the following advisories: a) http://jvn.jp/en/jp/JVN95385972/index.html b) http://jvn.jp/en/jp/JVN54092716/index.htmlSolutionUpgrade to MODx Revolution 1.0.5 available here: http:...

Critical PHP Bug Security Notice and Patch

28215 — Thu, 06 Jan 2011 09:43:30 -0600

Earlier this week, a PHP Security Notice was made due to a critical bug in PHP that could cause PHP to fail should a value of 2.2250738585072011e-308 be set to a PHP value.More information can be found here:http://bugs.php.net/bug.php?id=53632http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308This bug can affect MODx installations. MODx Revolution has been patched in GitHub for this. It is highly recommended that all MODx Revolution users patch their MODx installati...

Critical Security Upgrade Notice for FormIt, Quip and Login

27708 — Thu, 09 Dec 2010 08:17:16 -0600

We received a report of a potential vulnerability in FormIt, Quip and Login that could be used to expose system settings including database information. This has been been corrected and new versions have been posted. Upgrading of FormIt, Login and Quip to the latest versions via Package Manager should be considered critical.This only affects MODX Revolution installations that have installed the Extras FormIt, Quip and Login.

phpThumb Command-Injection Vulnerability

27708 — Tue, 05 Oct 2010 11:01:07 -0500

It has recently come to our attention that phpThumb (all versions) contains an unpatched vulnerability.' parameter in the 'phpThumb.php' script. Attackers can exploit this issue to execute arbitrary commands in the context of the webserver.Note that successful exploitation requires 'ImageMagick' to be installed.phpThumb() 1.7.9 is affected; other versions may also be vulnerable.If you are using phpThumb on any of your sites either as part of a plugin or standalone, you s...

MODx Revolution 2.0.3 Addresses Pair of Vulnerabilities

27708 — Thu, 30 Sep 2010 01:47:17 -0500

The MODx Revolution 2.0.3 release addresses a pair of reported security vulnerabilities with MODx Revolution 2.0.2-pl and possibly earlier releases:Input passed via the "modhash" parameter to manager/index.php is not properly sanitized before being returned to the user and input passed via the "class_key" parameter to manager/controllers/default/resource/tvs.php is not properly verified before being used to include files.We recommend that anyone running previous versions of M...

MODx Revolution Cross-Site Scripting and Local File Inclusion Vulnerabilities

27708 — Wed, 29 Sep 2010 02:50:16 -0500

Status: Solved (See: Notice on fix)Product: MODx RevolutionRisk: ModerateVersions: 2.0.xVunerability type: Cross-Site Scripting and Local File Inclusion VulnerabilitiesReport Date: 2010-09-29Fixed Date: 2010-09-29DescriptionIssue reported as Secunia Advisory SA41638. Input passed via the "modahsh" parameter to manager/index.php is not properly sanitized before being returned to the user and input passed via the "class_key" parameter to manager/controllers/default/resource/tvs...

MODx Evolution SQL Injection Vulnerability

27708 — Mon, 07 Jun 2010 04:59:22 -0500

Product: MODx EvolutionRisk: ModerateVersions: 1.0.3 and all previous releasesVunerability type: SQL InjectionReport Date: 2010-May-28Fixed Date: 2010-May-28DescriptionIssue reported as HTB22412. Attacker could potentially compromise MODx Evolution via an unsanitized variable on the /manager/index.php. No actual destructive exploit has yet been created or proven. The proof of concept offered on the htbridge.ch site, and variants, can only cause a SQL error to be displayed.Affected ...

Security updates in MODx Evolution 1.0.3. You really should upgrade.

25663 — Thu, 01 Apr 2010 10:11:06 -0500

The MODx Evolution 1.0.3 release addresses a number of reported security vulnerabilities with previous MODx Evolution 1.0.2 and earlier releases: XSS possibilities with the SearchHighlight plugin (used by AjaxSearch) as reported in JVN#19774883 and JVN#46669729 Unwanted information disclosure about the site structure in the TinyMCE plugin SQL Injection via WebLoginWe strongly recommend that anyone running previous versions of MODx Evolution (including 0.9.x releases) consider Evolution 1.0.3 a m...

Security Fix for MODx Revolution 2.0-beta2 (and beta1)

28215 — Thu, 23 Jul 2009 02:28:34 -0500

There has been a reported security vulnerability for MODx Revolution 2.0 beta1 and beta2. We have committed a temporary fix until we hit the root of the issue, which is a problem with the modAccessibleObject and Context Policy loading.SVN users, to fix this vulnerability, please update to r5505.Non-SVN users, please make the changes as illustrated here:http://svn.modxcms.com/crucible/changelog/modx/?cs=5501 and here:http://svn.modxcms.com/crucible/changelog/modx/?cs=5505Again, MODx recommends th...

Reflect RFI Exploit

25663 — Mon, 24 Nov 2008 04:46:49 -0600

It has come to our attention that it's possible to compromise some sites with specific server configurations via the reference copy of the Reflect snippet installed by default at /assets/snippets/reflect/snippet.reflect.phpA temporary solution is to simply rename this file with a .txt extension in your website. We are working on confirming a permanent solution and will update this post as soon as possible with more details.For more information see the Secunia advisory and the discussion on ...

0.9.6.2 HTTP_REFERER Checks and Potential CSRF Vulnerabilities

22303 — Tue, 16 Sep 2008 12:45:11 -0500

Some potential CSRF (Cross Site Request Forgery) vulnerabilities that require a valid manager session were identified in MODx 0.9.6.1-p2 and earlier versions and as a result, a new security feature to help protect your content managers from these types of attacks has been introduced with the release of 0.9.6.2.CSRF PotentialDetails of the kinds of attacks these vulnerabilities make possible are available in the associated bug report: #MODX-206.HTTP_REFERER SolutionTo prevent a majority of these ...

Acknowledgment: [DSECRG-08-013] Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulner

25663 — Wed, 13 Feb 2008 08:49:25 -0600

The MODx team believes the following security notice is sophistical – plausible but misleading (some would refer to it as "FUD"). We are continuing further investigations. Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulnerabilities To reproduce the security compromises listed above, a malicious hacker would first have to hijack a valid manager session, then convince someone to visit a link to the site with that session and their XSS content inserted. This could be of concern however in...

IMPORTANT: Two new vulnerabilities in 0.9.6.1

25663 — Tue, 22 Jan 2008 01:21:09 -0600

Please take notice that two security vulnerabilities have been reported and confirmed in 3rd-party scripts that are included in the MODx 0.9.6.1 distributions. Please see http://www.securityfocus.com/archive/1/485707/30/0/threaded for details.You need to take immediate action to protect your site( s ). For 0.9.6.1Go to http://svn.modxcms.com/trac/tattoo/changeset/3281 and you can choose from three options for applying the changes to your existing installations: download the zip archi...

CVE-2007-5371 not a vulnerability, or how I learned to stop worrying & love FUD

22303 — Sun, 14 Oct 2007 12:25:42 -0500

FYI:A number of MODx users have contacted me in regards to the posting of a MODx vulnerability from bugtraq, that is now showing up in two prominent vulnerability databases as CVE-2007-5371 and BID 25983:http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5371http://www.securityfocus.com/bid/25983We were never contacted by the poster, and after extensive analysis on our side, this vulnerability has been found to be 100% inaccurate; in fact, I believe it to be deliberate FUD. No attack vectors hav...

Ditto 2.0.2 XSS Vulnerability

33337 — Mon, 20 Aug 2007 04:05:44 -0500

It has come to my attention, thanks to forum user neroz, that there is a small XSS vulnerability in Ditto 2.0.2. Although 2.1 is nearly ready, I will be away for the next 10 days or so and do not wish to release something I will not be able to support. Therefore, I've created a patched version of Ditto 2.0.2, which has now been released as 2.0.3. If your site makes extensive use of javascript or cookies, it would be wise to update your Ditto install. Otherwise, stay tuned for Ditto 2.1 in t...

Critical Security Measure

25663 — Wed, 10 Jan 2007 10:34:12 -0600

Please immediately add the following to the top of any public install you may have running of any version of MODx, inside the opening PHP tag. This potential vulnerability only affects installations where the php.ini has register_globals set to ON. (Which is a no-no and security issue in and of itself!)In /manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php:if(!isset($_SESSION)) { die("<b>INCLUDE_ORDERING_ERROR</b><br /><br />Please use the...

FileDownload exploit!

25663 — Sat, 30 Dec 2006 11:54:06 -0600

VERY IMPORTANTIf you have added the FileDownload snippet to a MODx site, please remove this snippet from your sites immediately. There is a known vulnerability in this component that can expose critical database credentials by allowing exploiters to download your config.inc.php file or any number of other critical files directly from your server. A new version of the component will be available shortly that resolves this issue, but in the meantime, it is absolutely critical that you ...

0.9.2.2 released

22303 — Mon, 06 Nov 2006 09:58:48 -0600

0.9.2.2 is an important release which contains some measures to prevent possible XSS exploits that have been back-ported from the pending 095 release. This should be considered a mandatory and immediate upgrade. Existing installs can use the patch distribution if you're running 0.9.2.1. Earlier installs should use the full upgrade as outlined on the download page.Download 0.9.2.2

Security notice subscription options

25663 — Mon, 06 Nov 2006 12:59:23 -0600

Please subscribe to MODx Security notices via one or both of the following two methods (powered by Feeburner):RSS: http://feeds.feedburner.com/modxsecurityEmail: Subscribe to MODx Security Notices by Email