Ajax search security issue - what do I do?

I came across the security issue with AjaxSearch and can’t figure out what I need to do.
The links on the security page are not valid and the comment that the current version has the
patches doesn’t help me.

Do I need to replace a php file?
Use a different search?
Change something in the snippet?

The instructions go all over the place. >:(

Upgrade to the current download.

The links on the security page are not valid

Could you give us the post where the link is invalid. Thanks

and the comment that the current version has the patches doesn’t help me.

Which kind of information do you await ? The last security patches cover the security vulnerabilities described here

Otherwise, witch version of ajaxsearch do you use it ? If you download the last version = 1.7.0.2 from here, this version includes the last patches which correct the last security vulnerabilities (ajaxSearch and plugin Highligth).

I think the people responsible are not thinking in terms of the path to information.
I was reading modx reviews on opensourcecms.com -
one of the posts referred to a site so I went to it.
It had a message on their site that said Ajaxsearch has a securtiy problem.
I don’t take their word for it, so I come here.
I find that it’s a real problem.
So I look at the post on how to fix it and I see:

You need to take immediate action to protect your site( s ).

For 0.9.6.1
Go to http://svn.modxcms.com/trac/tattoo/changeset/3281 and you can choose from three options for applying the changes to your existing installations: download the zip archive from the link at the bottom (http://svn.modxcms.com/trac/tattoo/changeset/3281?format=zip&new=3281) and overwrite your existing files, get the unified diff (http://svn.modxcms.com/trac/tattoo/changeset/3281?format=diff&new=3281) and apply as a patch, or apply the diffs detailed on the page manually.

But those don’t work - so I read on and it says upgrade the new version has the patch - ok - what does that mean???
Do I have to reinstall? Do I upgrade just the snippet?

Now I don’t know what to do. What if I try to do the right thing and now my site doesn’t work because I changed the wrong program.
And what is a common user going to do with information like:
The last security patches cover the security vulnerabilities described here

That link doesn’t answer questions. It’s just another source.

I did download the latest version and now that you wrote:
If you download the last version = 1.7.0.2 from here, this version includes the last patches which correct the last security vulnerabilities (ajaxSearch and plugin Highligth).

Now I know that it’s ok. I didn’t see that on the snippet authors site when I downloaded the upgrade.

I realize when this issue came up everything was very clear and formulated, but much like when you write some code that is clear and seemingly documented, the comments
are relevant to the path you took to get to that point in the development. It’s based on your current state.

Anyway - something like a security risk procedure are not the same as "my menu font is wrong - help"
and should be dated and well controlled and when I need a clear definition of what the path is to remove the risk,
I didn’t find one source of truth, but rather threads that didn’t answer what to do.
Sorry for the frustration but it’s frustrating.

Upgrading is simple and there are plenty of instructions on how to do this; if you haven’t learned how to upgrade, I don’t recommend using MODx in production. That’s like giving your kid a gun for the first time and telling him to go hunting; you might want to take him to the range first and let him learn how to handle it.

Anyway, the patch was a stop gap measure until the new version was released. Additional confusion was cause by the patch links referring to Trac, which we no longer have available for a number of reasons, mostly related to security and spam. You can see the same patches and get access to the changed files from revision 3281 at http://svn.modxcms.com/crucible/changelog/modx/trunk?cs=3281. There is no combined download of the files that were changed as there was in Trac, but there is a unified diff (a.k.a. patch) available that you can learn to apply to your files if you prefer that route to upgrading the entire site.

I agree that I need to rethink using modx.

I disagree about how you have communicated the fix - all that needed to be said was:

If you download the last version = 1.7.0.2 from here, this version includes the last patches which correct the last security vulnerabilities

You being defensive means to me that you are not in complete control.

it’s simple instructions, just telling u to upgrade to the latest. whats the need to get all philosophic about it? why/where/who.....
just upgrade and move on

I think that there may have been too many different places to get info on this issue (which was not a particularly serious vulnerability, imho). I personally started from the official notice in the Security Notices forum, which refers you to this thread for more information and discussion. I think that if you take a look at those you’ll find all of the information that you need (and if not, post your questions to the above thread).

That’s a good point - a security threat level indicator would be good information.

I’m not getting crazy about this - I’m moving on - my whole point is

If you don’t know, then you don’t know and more incomplete threads makes it less clear. Questions regarding a security
threat should have one answer and be controlled.

BTW - if a real security threat comes up and is known, then a forum listing users using the product and their sites
is a resource for someone to just mine. That was my first concern.

You can subscribe to the security notice rss feed to be able to follow important notices. There is also a way to get e-mail notices as well.

I agree with ZAP that this was not a major issue. And it was not a MODx issue, rather a snippet related issue.