Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Directory traversal vulnerability in MODX 2.5.7 search page, please confirm! #13432

Closed
fantasy7082 opened this issue Apr 21, 2017 · 6 comments
Closed

Comments

@fantasy7082
Copy link

fantasy7082 commented Apr 21, 2017

Summary

Hello, i found a directory traversal vulnerability in search page. the reproduction is below:

Step to reproduce

I have already sent it to your mail, my email is fantasy7082@hotmail.com

Observed behavior

It will causes the system directory information to leak

Expected behavior

It will not causes the system directory information to leak

Environment

MODX version, 2.5.7

@Mark-H
Copy link
Collaborator

Mark-H commented Apr 21, 2017

Please responsibly disclose security issues via security@modx.com, not in a public issue..

@fantasy7082 fantasy7082 changed the title Directory traversal vulnerability in url_search.php, please confirm! Directory traversal vulnerability in MODX 2.5.7 search page, please confirm! Apr 22, 2017
@fantasy7082
Copy link
Author

oh, sorry.I have already sent it to your mail, my email is fantasy7082@hotmail.com

@fgeek
Copy link

fgeek commented May 19, 2017

Have you scheduled 2.5.8 release already?

@JoshuaLuckers
Copy link
Collaborator

@Mark-H is this already looked into?

@fgeek
Copy link

fgeek commented Jul 14, 2018

It's very confusing to leave issues like this open for over a year. Nothing about this issue in ChangeLog.

@Mark-H
Copy link
Collaborator

Mark-H commented Jul 14, 2018

Looked up the related responsible disclosure, yes this was addressed. The issue is confusing but basically files no longer served a purpose exposed a vulnerability, so those files were removed entirely in #13433.

@Mark-H Mark-H closed this as completed Jul 14, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants