Subscribe: RSS
  • Earlier this week, a PHP Security Notice was made due to a critical bug in PHP that could cause PHP to fail should a value of 2.2250738585072011e-308 be set to a PHP value.

    More information can be found here:

    This bug can affect MODx installations. MODx Revolution has been patched in GitHub for this. It is highly recommended that all MODx Revolution users patch their MODx installations with the fix made in this commit: https://github.com/modxcms/revolution/commit/3d8175c010374a3662fb86492fe7e808df0bae66 (do not copy the entire modx.class.php file, just the affected lines)

    To patch for Revolution, simply paste the following lines into the file "core/model/modx/modx.class.php" after line 30 (after the comments):
    if (strstr(str_replace('.','',serialize($_REQUEST)), '22250738585072011')) {
      header('Status: 422 Unprocessable Entity'); die();
    }


    Alternatively, if you don’t have FTP or SSH access to your server, you can download a Plugin-based patch via Package Management, in "Hotfixes & Security Updates" -> "Hotfix" -> "bug-3350". Installing it will patch your installation with a Plugin. (While the Plugin will work, MODX recommends patching the files if possible.)

    To patch for Evolution, simply add the above lines at the top of the "manager/includes/protect.inc.php" file.

    Since this is a PHP bug, and not a MODx bug, this will affect any and all MODx installations on server architecture that uses the x87 FPU and hasn’t forced SSE or float-store.

    LATE UPDATE:

    The MODX Team has released Revolution 2.0.6-pl2 which adds a workaround for this PHP bug, as well as a couple other issues. You can download it here: http://modxcms.com/download/. Upgrading is not required if you applied the patch above.

    Changelog for 2.0.6-pl2:
    MODx Revolution 2.0.6-pl2 (January 6, 2011)
    ====================================
    - [#3350] Fix for PHP bug: http://bugs.php.net/bug.php?id=53632
    - [#3347] Fix issue where renaming a file broke the browsing of directory tree
    - Fix issue where FC tvDefault rules, regardless of active state, are always run
     
      shaun mccormick | bigcommerce mgr of software engineering, former modx co-architect | github | splittingred.com

    This discussion is closed to further replies. Keep calm and carry on.