« previous next »
Topic: Critical Security Measure  (Read 28085 times)

Send this topic   Print
Pages: [1]   Go Down

#1: 3-Nov-2006, 01:20 PM

Foundation

rthrash
Posts: 11,348

WWW
Please immediately add the following to the top of any public install you may have running of any version of MODx, inside the opening PHP tag. This potential vulnerability only affects installations where the php.ini has register_globals set to ON. (Which is a no-no and security issue in and of itself!)

In /manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php:

Quote
if(!isset($_SESSION['mgrValidated'])) {
    die("<b>INCLUDE_ORDERING_ERROR</b><br /><br />Please use the MODx Content Manager instead of accessing this file directly.");
}

Update: this fix is required only for servers with register_globals set to ON, otherwise it's not needed

More information as it's available.
« Last Edit: 8-Nov-2006, 11:14 PM by rthrash »
MODx is a content managmeent framework that allows web professionals to turn over sites to end-users for daily maintenance without worrying. Please help us help you when asking for assistance and read the wiki. Searching the forums from the top level helps, too.
Ryan Thrash
MODx Co-Founder
Principal @ Collabpad
work productively.
work intelligently.
work together.

#2: 6-Nov-2006, 10:34 AM

Foundation

rthrash
Posts: 11,348

WWW
Note: discussion regarding this topic has been moved to General Support
MODx is a content managmeent framework that allows web professionals to turn over sites to end-users for daily maintenance without worrying. Please help us help you when asking for assistance and read the wiki. Searching the forums from the top level helps, too.
Ryan Thrash
MODx Co-Founder
Principal @ Collabpad
work productively.
work intelligently.
work together.

#3: 8-Nov-2006, 11:15 PM

Foundation

rthrash
Posts: 11,348

WWW
Please update your site to 0.9.2.2 for a proper fix to this issue as noted in the subsequent security notice.
MODx is a content managmeent framework that allows web professionals to turn over sites to end-users for daily maintenance without worrying. Please help us help you when asking for assistance and read the wiki. Searching the forums from the top level helps, too.
Ryan Thrash
MODx Co-Founder
Principal @ Collabpad
work productively.
work intelligently.
work together.

#4: 10-Jan-2007, 10:34 AM

Foundation

rthrash
Posts: 11,348

WWW
A better solution (now) is to update to 0.9.5, which also includes this fix and a lot more.
MODx is a content managmeent framework that allows web professionals to turn over sites to end-users for daily maintenance without worrying. Please help us help you when asking for assistance and read the wiki. Searching the forums from the top level helps, too.
Ryan Thrash
MODx Co-Founder
Principal @ Collabpad
work productively.
work intelligently.
work together.
Pages: [1]   Go Up
Send this topic   Print
0 Members and 1 Guest are viewing this topic.
 

 
 

Contact | Advertise | Blog | FAQ | Credits

© 2005-2009 the MODx CMS project. All rights reserved. Privacy Policy | Terms of Service
Powered by SMF 1.1.11 | SMF © 2006-2008, Simple Machines LLC