Jay Gilmore Reply #1, 1 year, 7 months ago
It has recently come to our attention that phpThumb (all versions) contains an unpatched vulnerability.
If you are using phpThumb on any of your sites either as part of a plugin or standalone, you should use the following fix to secure your site:
http://modxcms.com/forums/index.php/topic,54874.msg316279.html#msg316279
Note: This vulnerability does not affect the phpThumb that is included in the MODx Revolution distribution.
The application is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input to the 'fltr[]' parameter in the 'phpThumb.php' script.
Attackers can exploit this issue to execute arbitrary commands in the context of the webserver.
Note that successful exploitation requires 'ImageMagick' to be installed.
phpThumb() 1.7.9 is affected; other versions may also be vulnerable.
If you are using phpThumb on any of your sites either as part of a plugin or standalone, you should use the following fix to secure your site:
http://modxcms.com/forums/index.php/topic,54874.msg316279.html#msg316279
Note: This vulnerability does not affect the phpThumb that is included in the MODx Revolution distribution.