We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Acknowledgment: [DSECRG-08-013] Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulner

  • Ryan Thrash Reply #1, 16 years, 2 months ago
    The MODx team believes the following security notice is sophistical – plausible but misleading (some would refer to it as "FUD"). We are continuing further investigations.

    [DSECRG-08-013] Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulnerabilities

    To reproduce the security compromises listed above, a malicious hacker would first have to hijack a valid manager session, then convince someone to visit a link to the site with that session and their XSS content inserted. This could be of concern however in the instance when you have a large Manager User base of untrusted individuals. In either case, there are larger security implications.

    For more information and discussion, please visit this thread in these forums. We do not have every server or browser combination under which we can test the above listed compromises, so we would tremendously appreciate assistance/confirmation . If you are able to reproduce them or have additional information, please post information in the discussion and we will update this notice immediately with corrective actions.
      Ryan Thrash, MODX Co-Founder
      Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
    • Ryan Thrash Reply #2, 16 years, 2 months ago
      Based on further analysis there is one legitimate bug contained in the distribution that while we’ve not been able to find security vectors using the flaw, it is not inconceivable that a determined hacker could not do so. This lies with the search highlight plugin. To fix this, patch two lines starting near line 52 to as follows:
        $searched = strip_tags(urldecode($_REQUEST['searched'])); 
  $highlight = strip_tags(urldecode($_REQUEST['highlight']));


      Alternately, you can simply disable the search highlight plugin entirely by logging into the manager and going to Resources > Manage Resources > Plugin tab. From there, click the Search Highlight plugin name in the list of names, then check the first checkbox near the top that says "Plugin Disabled" (or your relevant local language string).

      The currently available build on the download page contains this patch. If you’re running an existing site, the best option is to patch or disable the Search Highlight plugin per the above.
        Ryan Thrash, MODX Co-Founder
        Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me

      This discussion is closed to further replies. Keep calm and carry on.