Critical Security Measure#

Please immediately add the following to the top of any public install you may have running of any version of MODx, inside the opening PHP tag. This potential vulnerability only affects installations where the php.ini has register_globals set to ON. (Which is a no-no and security issue in and of itself!)

In /manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php:

[s]if(!isset($_SESSION['mgrValidated'])) {
die("<b>INCLUDE_ORDERING_ERROR</b>

Please use the MODx Content Manager instead of accessing this file directly.");
}

Update: this fix is required only for servers with register_globals set to ON, otherwise it's not needed

More information as it's available.

Note: discussion regarding this topic has been moved to General Support

Please update your site to 0.9.2.2 for a proper fix to this issue as noted in the subsequent security notice.

A better solution (now) is to update to 0.9.5, which also includes this fix and a lot more.