Answered modX Security issue

Quote from: justinet at Jan 12, 2014, 01:18 PM

Quote from: davidpede at Dec 23, 2013, 05:56 PM

To fix this you must upgrade your phpThumb script from v1.7.9 to v1.7.11.

Hello,
Just checked the phpThumb files in my core Modx installation (core/model/phpthumb) as i am also using the Gallery extra and imageMagick, but havent seen any version number on those files ? How can you tell phpThumb version ?
On GitHub it's written JamesHeinrich phpThumb v1.7.11 was released on Aug 08, 2011, so would assume Modx revo recent versions (say 2.2.8 to 2.2.10) should use this latest phpThumb version ?? but of course need to ascertain this !
Thanks

I believe MODX <= 2.2.10 is still using phpThumb 1.7.9. You can check by opening /core/model/phpthumb/phpthumb.class.php and search for "$phpthumb_version".

Thanks Rick, you 're right ! I had not seen the version number by just scanning the first lines of that file

I simply downloaded the latest phpthumb and replaced the files in core/model/phpthumb/ with the new ones, and so far I haven't had any problems with it.

Quote from: sottwell at Jan 15, 2014, 11:02 AM

... so far I haven't had any problems with it.

Good to know, since i did the same thing.
Thanks

Just wanted to mention that this never made it into the Security Notices. I know there's been a more recent vulnerability that required updates anyway, but this one's a few months older and I found this while researching the same issue on another site I maintain. Are there other issues like this that generally don't make it in there, or did this just get overlooked? I try to keep things upgraded, but with a few dozen sites to maintain, I also rely on those notices for the really important things.

Quote from: ocdcoder at Jun 16, 2014, 05:10 PM

Just wanted to mention that this never made it into the Security Notices. I know there's been a more recent vulnerability that required updates anyway, but this one's a few months older and I found this while researching the same issue on another site I maintain. Are there other issues like this that generally don't make it in there, or did this just get overlooked? I try to keep things upgraded, but with a few dozen sites to maintain, I also rely on those notices for the really important things.

Hi OCDCoder,

The latest version of phpthumb has had the code updated to remove the vulnerability.

Yeah, the most recent version of MODX has been updated as well. The MODX team is just really good about posting Security Notices, whether they affect the core files or Extras, from what I can tell. I'm wondering if this somehow got missed, or if I was wrong about my assumption that all things MODX-related end up in the Security Notices.

Greetings OCDCoder,

Guess it wasn't in security notices, but it did appear in the 2.2.11 release announcement:

http://forums.modx.com/thread/88696/revolution-2-2-11-out-now

https://github.com/modxcms/revolution/blob/release-2.2/core/docs/changelog.txt (line 69 as of the date of this post)

I usually do read those. Either I just missed it that time, or didn't think about it applying to other sites for whatever reason. Or I was just doing too many sites at once and my eyes glazed over.

We have SO many sites to upgrade when a new version of MODX comes out that we've been talking about scripting the upgrade process for the backup/wget/unzip/rsync part of the process, just haven't gotten around to it. Even the browser upgrade process is pretty much clicking a button that's some variation of "OK" or "Next" over and over. I keep wondering if I could go all the way and write an Extra, but I feel like someone would have done it by now if it were possible. I have to admit the WP upgrade process is one advantage it has over MODX. One of the few, IMO, but still. ;-)

Sorry, off-topic ramble there.