IMPORTANT: Two new vulnerabilities in 0.9.6.1

[Guest]

Welcome, Guest. Please login or register.
Did you miss your activation email?

1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[OpenGeek]

Please take notice that two security vulnerabilities have been reported and confirmed in 3rd-party scripts that are included in the MODx 0.9.6.1 distributions.  Please see http://www.securityfocus.com/archive/1/485707/30/0/threaded for details.

You need to take immediate action to protect your site( s ). 

For 0.9.6.1
Go to http://svn.modxcms.com/trac/tattoo/changeset/3281 and you can choose from three options for applying the changes to your existing installations: download the zip archive from the link at the bottom (http://svn.modxcms.com/trac/tattoo/changeset/3281?format=zip&new=3281) and overwrite your existing files, get the unified diff (http://svn.modxcms.com/trac/tattoo/changeset/3281?format=diff&new=3281) and apply as a patch, or apply the diffs detailed on the page manually.

For 0.9.6
Same as above, though I recommend upgrading to 0.9.6.1 first to make sure you have the latest bug fixes.

Alternative for 0.9.6 or before...
Grab the latest trunk from SVN and upgrade your installation normally.


Additional information, and an 0.9.6.2 official release with these patches included will be available shortly.

[OpenGeek]

FYI, trunk has been patched with solutions to both of these security fixes and I will be in the process of notifying all of the reporting services so they publish this information; see the original post for updated information.

[rthrash]

admin note: clarified for those with feed readers who don't see the entire thread in context

The current download available at the MODx download site was replaced by a version containing the patches for 0961 in this thread. 0962 will also contain these patches as Jason mentioned. If you've not applied the security patch already (shame on you!), you can either grab it via the instructions listed above or just download the complete installer from the downloads page and install via the normal upgrade mode. If you're not running this latest patched version, now would be a very good time to upgrade.