CVE-2008-0094

Name of the Vulnerable Software and Affected Versions MODx Content Management System version 0.9.6.1

Description The issue concerns directory traversal vulnerabilities. Remote attackers can include and execute arbitrary local files via a .. (dot dot) in the as language parameter to "assets/snippets/AjaxSearch/AjaxSearch.php", which is reached through "index-ajax.php". Additionally, attackers can read arbitrary local files via a .. (dot dot) in the file parameter to "assets/js/htcmime.php".

Recommendations For MODx Content Management System version 0.9.6.1, as a temporary workaround, consider restricting access to the "assets/snippets/AjaxSearch/AjaxSearch.php" and "assets/js/htcmime.php" files until a patch is available. Avoid using the as language and file parameters in the affected API endpoints until the issue is resolved.