We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
  • Product: MODX Revolution
    Severity: Extremely Critical
    Versions: 2.0.0–2.2.12
    Vulnerability type: SQL Injection
    Report date: 2014-Mar-5
    Fixed date: 2014-Mar-6

    Description
    A vulnerability was discovered in MODX Revolution that allows users to inject and manipulate the database. Attackers could exploit this to alter or destroy data in the database.

    Affected Releases
    All MODX Revolution releases prior to and including 2.2.12.

    Solutions

    1. Upgrade to MODX Revolution 2.2.13
    2. To quickly patch 2.2.12 before a complete upgrade you can replace the modx.class.php from 2.2.13 via: https://raw.github.com/modxcms/revolution/v2.2.13-pl/core/model/modx/modx.class.php
    3. For releases between 2.2.6 and 2.2.11 inclusive, you can replace the modx.class.php with the one from the relevant 'pl2' tag in the MODX Revolution repository. E.g. for v2.2.10-pl it would be https://raw.github.com/modxcms/revolution/v2.2.10-pl2/core/model/modx/modx.class.php".
    4. For releases prior to 2.2.6, please contact MODX Support for assistance patching your version, or to get help with an upgrade to 2.2.13

    Special Note for MODX Cloud Users
    If your sites are on MODX Cloud, we've taken steps to protect all sites from this issue, as always we recommend you upgrade to 2.2.13 at your earliest convenience.

    Acknowledgement
    We would like to thank MODX community member, Mark Ernst, for bringing this issue to our attention.

    Additional Information
    For additional information, please use the MODX Contact Form [ed. note: smashingred last edited this post 10 years ago.]
      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub

    This discussion is closed to further replies. Keep calm and carry on.