We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

MODX Evolution 1.0.6 (and prior) Unauthorized Manager Access

  • Jay Gilmore Reply #1, 11 years, 4 months ago
    Product: MODX Evolution
    Risk: Very High
    Severity: Critical
    Versions: 1.0.6 and all previous releases
    Vulnerabilty Type: Permissions, Privileges, and Access Control; Input Validation; SQL Injection
    Report Date: 2012-Nov-26
    Fixed Date: 2012-Nov-26

    Description
    The Forgot Manager Login plugin distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows users to gain unauthorized access to the MODX Manager.

    Affected Releases
    All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.6 are affected.

    Solutions
    There are three ways to resolve or mitigate the issue:

    1. Disable Forgot Manager Login plugin
    2. Upgrade Forgot Manager Login to version 1.1.4
    3. Upgrade to MODX Evolution 1.0.7.

    NOTE
    A special thanks to community member Agel_Nash for reporting the full scope of this issue directly to MODX so a resolution could be made available before details were. [ed. note: opengeek last edited this post 11 years, 4 months ago.]
      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub

    This discussion is closed to further replies. Keep calm and carry on.