We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

MODX Evolution 1.0.13 (and prior) AjaxSearch Vulnerability

  • opengeek Reply #1, 9 years, 10 months ago
    Product: MODX Evolution
    Risk: Very High
    Severity: Critical
    Versions: <=1.0.13
    Vulnerabilty Type: Remote Code Execution
    Report Date: 2014-May-29
    Fixed Date: 2014-June-5

    Description
    The AjaxSearch component distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows remote code execution.

    Affected Releases
    All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.13 (with AjaxSearch installed) are affected.

    Solutions
    There are two ways to resolve or mitigate the issue:

    1. Upgrade AjaxSearch to version 1.10.1
    2. Upgrade to MODX Evolution 1.0.14.

    NOTE
    A special thanks to Semko Vitaliy for identifying the vector and community member Thomas Jakobi for the resolution. [ed. note: smashingred last edited this post 9 years, 10 months ago.]
      Jason Coward
      Chief Architect @ MODX
      http://www.jasoncoward.com | http://twitter.com/drumshaman | https://github.com/opengeek
    • matdave Reply #2, 9 years, 10 months ago
      You will need to do both 1 and 2 or 3. Just deleting the index-ajax.php still leaves the AjaxSearch vulnerable to attack.
        Mat Dave Jones

      This discussion is closed to further replies. Keep calm and carry on.