https://forums.modx.com/thread/?thread=253 https://forums.modx.com/thread/253/filedownload-exploit#dis-post-1654 rethrash Dec 30, 2006, 11:54 AM https://forums.modx.com/thread/253/filedownload-exploit#dis-post-1654 https://forums.modx.com/thread/253/filedownload-exploit#dis-post-1653 rethrash Dec 30, 2006, 11:17 AM https://forums.modx.com/thread/253/filedownload-exploit#dis-post-1653 https://forums.modx.com/thread/253/filedownload-exploit#dis-post-1652 VERY IMPORTANT!

If you have added the FileDownload snippet to a MODx site, please remove this snippet from your sites immediately. There is a known vulnerability in this component that can expose critical database credentials by allowing exploiters to download your config.inc.php file or any number of other critical files directly from your server. A new version of the component will be available shortly that resolves this issue, but in the meantime, it is absolutely critical that you disable this snippet.

Also, if you have a site with this snippet currently enabled, it is highly recommended that you change your database username/password after disabling the snippet as soon as possible. It is possible that some sites have already been silently exploited and critical security information collected.

Please note: FileDownload is not part of the core MODx distribution, so this only affects users who have downloaded and installed the FileDownload snippet.

More information as soon as it becomes available.]]> opengeek Dec 30, 2006, 10:58 AM https://forums.modx.com/thread/253/filedownload-exploit#dis-post-1652