Re: MODX Evolution 1.0.13 (and prior) AjaxSearch Vulnerability

matdave — Jun 09, 2014, 11:36 AM

You will need to do both 1 and 2 or 3. Just deleting the index-ajax.php still leaves the AjaxSearch vulnerable to attack.

MODX Evolution 1.0.13 (and prior) AjaxSearch Vulnerability

opengeek — Jun 05, 2014, 04:00 PM

Product: MODX Evolution
Risk: Very High
Severity: Critical
Versions: <=1.0.13
Vulnerabilty Type: Remote Code Execution
Report Date: 2014-May-29
Fixed Date: 2014-June-5

Description
The AjaxSearch component distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows remote code execution.

Affected Releases
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.13 (with AjaxSearch installed) are affected.

Solutions
There are two ways to resolve or mitigate the issue:

Upgrade AjaxSearch to version 1.10.1
Upgrade to MODX Evolution 1.0.14.

NOTE
A special thanks to Semko Vitaliy for identifying the vector and community member Thomas Jakobi for the resolution.

MODX Evolution 1.0.13 (and prior) AjaxSearch Vulnerability - My Forums

Re: MODX Evolution 1.0.13 (and prior) AjaxSearch Vulnerability

MODX Evolution 1.0.13 (and prior) AjaxSearch Vulnerability