2 important vulnerabilities found in MODx 0.9.6.1
As per modx Security Feed, the 2 new important vulnerabilities found in modx release version 0.9.6.1. To immediately protect your modx powered site(s) please do the following:
- If magic_quotes_gpc is disabled on your system, remove the file /assets/js/htcmime.php
- Disable the AjaxSearch snippet, and make sure you delete (or rename) /assets/snippets/AjaxSearch/AjaxSearch.php so it is not accessible
Please see the original forum announcement to track the patch progress which will be available as soon as possible.
Updates: Please read below to patch your modx installations.
Go to http://svn.modxcms.com/trac/tattoo/changeset/3281 and you can choose from three options for applying the changes to your existing installations: download the zip archive from the link at the bottom (http://svn.modxcms.com/trac/tattoo/changeset/3281?format=zip&new=3281) and overwrite your existing files, get the unified diff (http://svn.modxcms.com/trac/tattoo/changeset/3281?format=diff&new=3281) and apply as a patch, or apply the diffs detailed on the page manually.
Same as above, though I recommend upgrading to 0.9.6.1 first to make sure you have the latest bug fixes.
Alternative for 0.9.6 or before...
Grab the latest trunk from SVN and upgrade your installation normally.
Additional information, and an 0.9.6.2 official release with these patches included will be available shortly.