Product: MODx Evolution
Risk: Moderate
Versions: 1.0.3 and all previous releases
Vunerability type: SQL Injection
Report Date: 2010-May-28
Fixed Date: 2010-May-28
Description
Issue reported as
HTB22412. Attacker could potentially compromise MODx Evolution via an unsanitized variable on the /manager/index.php.
No actual destructive exploit has yet been created or proven. The proof of concept offered on the htbridge.ch site, and variants, can only cause a SQL error to be displayed.
Affected Releases
All MODx 0.9.x/Evolution releases prior to and including MODx Evolution 1.0.3 are affected.
Solution
Upgrade to MODx Evolution 1.0.4 or later:
http://modxcms.com/download.html#ga