CVE-2018-1000207
Description
MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MODX Revolution <=2.6.4 fails to filter user parameters passed to phpthumb, allowing attackers to create arbitrary files via web request.
Vulnerability
MODX Revolution version 2.6.4 and earlier contains an incorrect access control vulnerability in the filtering of user parameters before they are passed into the modPhpThumb class, which extends phpThumb. The insufficient validation allows an attacker to control file creation parameters such as filename and content. The issue was addressed in commit 06bc94257408f6a575de20ddb955aca505ef6e68 [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted web request to a vulnerable MODX instance. No authentication is required for the attack vector, as the vulnerable code path is accessible via public-facing thumbnail generation functionality. The attacker manipulates parameters that are directly passed to the phpthumb library without proper sanitization [1][4].
Impact
Successful exploitation allows an attacker to create files with arbitrary filenames and content on the server. This can lead to arbitrary code execution if the attacker can write a malicious file (e.g., a PHP script) into a web-accessible directory, resulting in full compromise of the affected site [1].
Mitigation
The vulnerability was fixed in MODX Revolution commit 06bc94257408f6a575de20ddb955aca505ef6e68, which was incorporated into the codebase on or around July 9, 2018 [2][4]. Administrators are strongly advised to upgrade to a patched version (2.6.5 or later). No workarounds are documented for versions prior to the fix. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
modx/revolutionPackagist | < 2.7.0 | 2.7.0 |
Affected products
1Patches
106bc94257408Filtering user parameters before passing them into phpthumb class #13979
2 files changed · +42 −18
core/docs/changelog.txt+1 −0 modified@@ -4,6 +4,7 @@ development release, and is only shown to give an idea of what's currently in th MODX Revolution 2.7.0-pl (TBD) ==================================== +- Filtering user parameters before passing them into phpthumb class #13979 - Update phpThumb to 1.7.15-201806071234 #13938 - Require minimal PHP version (in composer.json) #13939 - Prefer ampersand replacement of the the translit class [#13931]
core/model/phpthumb/modphpthumb.class.php+41 −18 modified@@ -1,37 +1,44 @@ <?php -/** - * @package modx - * @subpackage phpthumb - */ -require_once MODX_CORE_PATH.'model/phpthumb/phpthumb.class.php'; + +require_once MODX_CORE_PATH . 'model/phpthumb/phpthumb.class.php'; + /** * Helper class to extend phpThumb and simplify thumbnail generation process * since phpThumb class is overly convoluted and doesn't do enough. * * @package modx * @subpackage phpthumb */ -class modPhpThumb extends phpThumb { - +class modPhpThumb extends phpThumb +{ public $modx; - public $config; - function __construct(modX &$modx,array $config = array()) { + public $config = array(); + + /** + * modPhpThumb constructor. + * @param modX $modx + * @param array $config + */ + public function __construct(modX &$modx, array $config = array()) + { $this->modx =& $modx; - $this->config = array_merge(array( + $this->config = $config; - ),$config); parent::__construct(); } /** * Setup some site-wide phpthumb options from modx config */ - public function initialize() { + public function initialize() + { $cachePath = $this->modx->getOption('core_path',null,MODX_CORE_PATH).'cache/phpthumb/'; - if (!is_dir($cachePath)) $this->modx->cacheManager->writeTree($cachePath); - $this->setParameter('config_cache_directory',$cachePath); - $this->setParameter('config_temp_directory',$cachePath); + if (!is_dir($cachePath)) { + $this->modx->cacheManager->writeTree($cachePath); + } + $this->setParameter('config_cache_directory', $cachePath); + $this->setParameter('config_temp_directory', $cachePath); $this->setCacheDirectory(); $this->setParameter('config_allow_src_above_docroot',(boolean)$this->modx->getOption('phpthumb_allow_src_above_docroot',$this->config,false)); @@ -51,24 +58,40 @@ public function initialize() { $this->setParameter('config_nooffsitelink_erase_image',(boolean)$this->modx->getOption('phpthumb_nooffsitelink_erase_image',$this->config,true)); $this->setParameter('config_nooffsitelink_watermark_src',(string)$this->modx->getOption('phpthumb_nooffsitelink_watermark_src',$this->config,'')); $this->setParameter('config_nooffsitelink_text_message',(string)$this->modx->getOption('phpthumb_nooffsitelink_text_message',$this->config,'Off-server linking is not allowed')); + $this->setParameter('config_ttf_directory', (string)$this->modx->getOption('core_path', $this->config, MODX_CORE_PATH) . 'model/phpthumb/fonts/'); + $this->setParameter('config_imagemagick_path', (string)$this->modx->getOption('phpthumb_imagemagick_path', $this->config, null)); + $this->setParameter('cache_source_enabled',(boolean)$this->modx->getOption('phpthumb_cache_source_enabled',$this->config,false)); $this->setParameter('cache_source_directory',$cachePath.'source/'); $this->setParameter('allow_local_http_src',true); $this->setParameter('zc',$this->modx->getOption('zc',$_REQUEST,$this->modx->getOption('phpthumb_zoomcrop',$this->config,0))); $this->setParameter('far',$this->modx->getOption('far',$_REQUEST,$this->modx->getOption('phpthumb_far',$this->config,'C'))); $this->setParameter('cache_directory_depth',4); - $this->setParameter('config_ttf_directory',$this->modx->getOption('core_path',$this->config,MODX_CORE_PATH).'model/phpthumb/fonts/'); $documentRoot = $this->modx->getOption('phpthumb_document_root',$this->config, ''); if ($documentRoot == '') $documentRoot = $this->modx->getOption('base_path', null, ''); if (!empty($documentRoot)) { $this->setParameter('config_document_root',$documentRoot); } + // Only public parameters of phpThumb should be allowed to pass from user input. + // List properties between START PARAMETERS and START PARAMETERS in src/core/model/phpthumb/phpthumb.class.php + $allowed = array( + 'src', 'new', 'w', 'h', 'wp', 'hp', 'wl', 'hl', 'ws', 'hs', + 'f', 'q', 'sx', 'sy', 'sw', 'sh', 'zc', 'bc', 'bg', 'fltr', + 'goto', 'err', 'xto', 'ra', 'ar', 'aoe', 'far', 'iar', 'maxb', 'down', + 'md5s', 'sfn', 'dpi', 'sia', 'phpThumbDebug' + ); + /* iterate through properties */ foreach ($this->config as $property => $value) { - $this->setParameter($property,$value); + if (!in_array($property, $allowed, true)) { + $this->modx->log(modX::LOG_LEVEL_WARN,"Detected attempt of using private parameter `$property` (for internal usage) of phpThumb that not allowed and insecure"); + continue; + } + $this->setParameter($property, $value); } + return true; } @@ -317,5 +340,5 @@ function ResolveFilenameToAbsolute($filename) { } return $AbsoluteFilename; } - } +
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-m899-6mh4-mpc5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000207ghsaADVISORY
- github.com/modxcms/revolution/commit/06bc94257408f6a575de20ddb955aca505ef6e68ghsax_refsource_CONFIRMWEB
- github.com/modxcms/revolution/pull/13979ghsax_refsource_CONFIRMWEB
- rudnkh.me/posts/critical-vulnerability-in-modx-revolution-2-6-4ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.