MODX Revolution Security Bypass and Remote Execution

By Jay Stephen Gilmore
June 4, 2013
MODX Revolution Security Bypass and Remote Execution

Product: MODX Revolution
Severity: Extremely Critical
Versions: 2.1.0–2.2.7
Vulnerability type: Security Bypass
Report date: 2013-Jun-4
Fixed date: 2013-Jun-4

Description
Two vulnerabilities were discovered in MODX that allow users to bypass security. Attackers could exploit this to remotely execute arbitrary code on the targeted server.

Affected Releases
All MODX Revolution releases from and including 2.1.0–2.2.7 are affected. Revolution 2.0.8 and below are not affected.

Solutions
There are two possible solutions:


  1. Upgrade to MODX Revolution 2.2.8, or
  2. Install this plugin patch until upgrade to 2.2.8+ is completed.


Acknowledgement
We would like to thank valued community members Fi1osof and Agel_Nash for bringing this issue to our attention.

Additional Information
For additional information, please use the MODX Contact Form