We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 22303 MODX Staff
    • 10,725 Posts
    Product: MODX Evolution
    Risk: Very High
    Severity: Critical
    Versions: <=1.0.13
    Vulnerabilty Type: Remote Code Execution
    Report Date: 2014-May-29
    Fixed Date: 2014-June-5

    Description
    The AjaxSearch component distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows remote code execution.

    Affected Releases
    All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.13 (with AjaxSearch installed) are affected.

    Solutions
    There are two ways to resolve or mitigate the issue:

    1. Upgrade AjaxSearch to version 1.10.1
    2. Upgrade to MODX Evolution 1.0.14.

    NOTE
    A special thanks to Semko Vitaliy for identifying the vector and community member Thomas Jakobi for the resolution. [ed. note: smashingred last edited this post 10 years, 4 months ago.]
      • 39519 ☆ A M B ☆
      • 79 Posts
      You will need to do both 1 and 2 or 3. Just deleting the index-ajax.php still leaves the AjaxSearch vulnerable to attack.
        Mat Dave Jones

      This discussion is closed to further replies. Keep calm and carry on.