Revolution Security - MODX Community Forums

Revolution 2.6.4 and Prior Two Cricital Vulnerabilities; Upgrade Mandatory/Patch

Thu, 12 Jul 2018 02:40:19 +0000

Product: MODX Revolution
Severity: Critical
Versions: <=2.6.4
Vulnerability type(s): Remote Execution / File/Directory Deletion
Report date: 2018-Jul-11
Fixed date: 2018-Jul-12

Description
On July 11 we received notice that there are two critical vulnerabilities that include remote script execution and file/directory removal. These issues are critical in nature. It is possible for attackers to compromise the website or deface or delete files or directories.

Affected Releases
All MODX Revolution releases prior to and including 2.6.4

Solutions

Upgrade to MODX Revolution 2.6.5 or above.
If you're on 2.6.4 you can replace the changed files included in the commits: here (can be manually updated on versions back to 2.3.0) and here (can be updated on versions back to 2.5.2). Please note, replacing files in other versions of MODX Revolution could lead to unintended consequences. It is always preferred to upgrade.

Support
If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the MODX Forums, find a MODX Professional or get help from the MODX Services team.

Acknowledgement
We would like to thank Ivan Klimchuk (Alroniks) and agel_nash for bringing these issues to our attention and verifying their resolution.

Additional Information
For additional information, please email MODX Support.

Revolution 2.5.1 and Prior Multiple Vulnerabilites

Wed, 07 Dec 2016 08:53:04 +0000

Product: MODX Revolution
Severity: Moderate
Versions: <=2.5.1
Vulnerability type: Directory Traversal / SQL Injection
Report date: 2016-Nov-4
Fixed date: 2016-Nov-14

Description
We received notice that there are several vulnerabilities that include a SQL injection and directory traversal. These issues on their own are not critical in nature, however, it could be possible for determined attackers to combine vectors to compromise a site.

Affected Releases
All MODX Revolution releases prior to and including 2.5.1

Solutions

Upgrade to MODX Revolution 2.5.2 or above.
Patch available for versions 2.3.3-2.5.2 thanks to Sterc. Versions below 2.3.3 must upgrade.

Support
If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the MODX Forums, find a MODX Professional or get help from the MODX Services team.

Acknowledgement
We would like to thank [url=modxclub.ru]Nikolay Lanetshttp://modx.com/company/contact/]MODX Contact Form" target="_blank" rel="nofollow"> and Chen Ruiqi from for bringing these issues to our attention and verifying their resolution.

Additional Information
For additional information, please use the [url=http://modx.com/company/contact/]MODX Contact Form

Critical Login XSS+CSRF Revolution 2.2.1.4 and Prior

Tue, 15 Jul 2014 01:29:03 +0000

Product: MODX Revolution
Severity: Critical
Versions: 2.0.0–2.2.14
Vulnerability type: CSRF & XSS
Report date: 2014-Jul-10
Fixed date: 2014-Jul-15

Description
A significant vulnerability was discovered in the Manager login of MODX Revolution that also affects the use of the Login Extra. A malicious user could formulate a link that automatically logs the user into their own account, then redirects the user to a site the attacker controls immediately, exposing the user's CSRF token. This can be exploited with or without getting the user to enter their credentials in the form.

Affected Releases
All MODX Revolution releases prior to and including 2.2.14.

Solution
Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.

Acknowledgement
We would like to thank Narendra Bhati, of Suma Soft for bringing this issue to our attention.

Additional Information
For additional information, please use the MODX Contact Form

Revolution Security Announcements

Tue, 01 Jul 2014 07:09:27 +0000

This is the MODX Revolution Security board. This is the central location where announcements related to security issues and resolutions are posted. You can subscribe by RSS or to our MODX Security Bulletin email.