Please immediately add the following to the top of any public install you may have running of any version of MODx, inside the opening PHP tag. This potential vulnerability only affects installations where the php.ini has register_globals set to ON. (Which is a no-no and security issue in and of itself!)
In /manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php:
[s]if(!isset($_SESSION[’mgrValidated’])) {
die("<b>INCLUDE_ORDERING_ERROR</b>
Please use the MODx Content Manager instead of accessing this file directly.");
}
Update: this fix is required only for servers with register_globals set to ON, otherwise it’s not needed
More information as it’s available.