We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

MODx Revolution Cross-Site Scripting and Local File Inclusion Vulnerabilities

  • Jay Gilmore Reply #1, 13 years, 6 months ago
    Status: Solved (See: Notice on fix)
    Product: MODx Revolution
    Risk: Moderate
    Versions: 2.0.x
    Vunerability type: Cross-Site Scripting and Local File Inclusion Vulnerabilities
    Report Date: 2010-09-29
    Fixed Date: 2010-09-29

    Description
    Issue reported as Secunia Advisory SA41638.

    Input passed via the "modahsh" parameter to manager/index.php is not properly sanitized before being returned to the user and input passed via the "class_key" parameter to manager/controllers/default/resource/tvs.php is not properly verified before being used to include files.


    Affected Releases
    MODx Revolution 2.0.2-pl however it is possible previous releases contain the vulnerability.

    Solution
    Upgrade to MODx Revolution 2.0.3 available here: http://modxcms.com/download.html#pl
    Read the Release Announcement for Revolution 2.0.3.
      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub

    This discussion is closed to further replies. Keep calm and carry on.