We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
  • @sharkbait -- you’re welcome.
    @cyclissmo -- that may be a different attack, but with this phpThumb vulnerability, it doesn’t matter if you have Snippet activated or not: if those files are on your web site, you are vulnerable to this exploit.

    Please pass this on... there are a lot of sites out there using phpThumb... I’d submit the fix to their repo, but it doesn’t appear to be publicly available.
    • If you have shell access, one useful command (for detecting low-key hackers anyway) is:
      find . -mtime -10


      Look for any files that have been modified in the last 10 days (in this example). Useful for spotting if new PHP files have appeared or existing ones have been altered without you knowing.
        MAPLEDESIGN MODX development and MODX web design and custom development. Proud to serve UK and International clients!
      • Thanks for the fix - seems that they did not found my phpthumb installation by now undecided
          • 1611
          • 591 Posts
          thank’s for fix solution
          • No problem. I wish I had a way to submit to the original code.
              • 26401
              • 247 Posts
              happened to me. Not sure what got changed, but I did have two sites go down. In one I disabled phpThumb extension and it would work(without some of the images). The other wasn’t even using it, so I couldn’t disable it. In both cases I have no idea of the extent of damage or how to fix it. sad
              • Disabling the phpThumb extension does not prevent this exploit from succeeding: if the phpThumb is anywhere on your server, it can be exploited. It’s virtually impossible to figure out what was damaged by such an exploit: you have to assume that EVERYTHING has been compromised. If you have a backup, you should rollback to that, and you should apply the patch as listed above. If you don’t have a backup, you have to rebuild from known-good versions: a fresh install of MODx and any plugins, but the pisser about this phpThumb thing is that in 1.7.9 (the most current version as of this writing), the exploit is in source code, so you have to manually apply the patch, otherwise your site is vulnerable.
                  • 26401
                  • 247 Posts
                  sorry about that, I read my post and have been doing some digging around. I think doing something to the phpthumb showed results, I applied the patch to both sites, but going through my log, I cannot find any malicious use of fltr[] so it looks like my errors were unrelated to this. While I’m not 100%, I think the host switched something around, the giveway was when I tried saving a resource, my backslashes started multiplying. looked into phpinfo and saw that the magic quotes were active. While I don’t know what exactly the host did, I assume it was an upgrade to a new version of php, and modx doesn’t fix the magic quotes past version 5.3

                  Sorry about the off topic issue undecided

                  and thanks for getting that patch, I’ll need to apply it to the other sites still. Hopefully this will get included soon as this is a pretty big oopsies
                    • 26401
                    • 247 Posts
                    Does anyone know of any plans to put this phpThumb fix into a package (on a side note would be nice to combine it with the 5.3 fix at the end of http://modxcms.com/forums/index.php?topic=43077.0
                    • Dunno... I tried to contact the author. Too bad the source code isn’t publicly available via an SVN repo or I would have submitted my fix.