MODX Evolution 1.0.7 (and prior) ForgotManager plugin Vulnerability

By Jay Stephen Gilmore
January 18, 2013
MODX Evolution 1.0.7 (and prior) ForgotManager plugin Vulnerability

Product: MODX Evolution
Risk: Very High
Severity: Critical
Versions: 1.0.7
Vulnerabilty Type: Permissions, Privileges, and Access Control; Input Validation; SQL Injection
Report Date: 2013-Jan-4
Fixed Date: 2013-Jan-8

Description
The Forgot Manager Login plugin distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows users to gain unauthorized access to the MODX Manager.

Affected Releases
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.7 (with ForgotManager plugin active) are affected.

Solutions
There are three ways to resolve or mitigate the issue:


  1. Disable Forgot Manager Login plugin
  2. Upgrade Forgot Manager Login to version 1.1.6
  3. Upgrade to MODX Evolution 1.0.8.


NOTE
A special thanks to community member Jako for reporting this issue directly to MODX so a resolution could be made available before details were.