MODx index.php id Parameter Traversal Arbitrary File Access
Remote / Network Access
MODx contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the index.php script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the 'id' variable. Additionally, this can be used to disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.