We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
  • Please immediately add the following to the top of any public install you may have running of any version of MODx, inside the opening PHP tag. This potential vulnerability only affects installations where the php.ini has register_globals set to ON. (Which is a no-no and security issue in and of itself!)

    In /manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php:

    [s]if(!isset($_SESSION[’mgrValidated’])) {
    die("<b>INCLUDE_ORDERING_ERROR</b>

    Please use the MODx Content Manager instead of accessing this file directly.");
    }

    Update: this fix is required only for servers with register_globals set to ON, otherwise it’s not needed

    More information as it’s available.
      Ryan Thrash, MODX Co-Founder
      Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
    • Note: discussion regarding this topic has been moved to General Support
        Ryan Thrash, MODX Co-Founder
        Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
      • Please update your site to 0.9.2.2 for a proper fix to this issue as noted in the subsequent security notice.
          Ryan Thrash, MODX Co-Founder
          Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
        • A better solution (now) is to update to 0.9.5, which also includes this fix and a lot more.
            Ryan Thrash, MODX Co-Founder
            Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me

          This discussion is closed to further replies. Keep calm and carry on.