New 2.5.4 install: server error on changelog.txt when manager opened

5 Posts

modularity Reply #1, 7 years, 3 months ago

I've just installed newest MODx from fresh on a new webserver. All looks good but I see a couple of these in the error log, they appear when I open the manager:

[Sun Jan 22 10:04:43.278243 2017] [access_compat:error] [pid 16061] [client 54.194.127.25:59913] AH01797: client denied by server configuration: MYPATH/modx-2.5.4-pl/core/docs/changelog.txt

This is an Apache server, and the MODX core is under the public root BUT with denial via .htaccess:

order deny,allow
deny from all

It is all readable by the httpd (otherwise nothing would work). So why is the changelog being accessed directly (apparently?) and thus denied? Bug?

93 Posts

Jeff Miranda Reply #2, 6 years, 10 months ago

Happening on my 2.5.7 install as well.

24,544 Posts

BobRay Reply #3, 6 years, 10 months ago

Are those errors just from setup, or do they always occur when launching the Manager?

Have you looked to see if there's anything different about the permissions or ownership of that file or in its path?

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

93 Posts

Jeff Miranda Reply #4, 6 years, 10 months ago

Hmm, good call Bob. The error isn't from setup but it does seem to happen every time I launch the Manager.

There also doesn't seem to be anything different with the permissions or ownership.

24,544 Posts

BobRay Reply #5, 6 years, 10 months ago

I think I've at least found the location of the problem:

core\model\modx\processors\system\config_check.inc.php

MODX seems to use that file's existence as an indicator of whether the core has been moved. The cURL response is probably not the one MODX is expecting. I had a similar problem with SiteCheck.

I thought there was a way to turn off the config check in System Settings, but I couldn't find it.

If I'm right about what the problem is, there are several possible fixes.

1. Edit the default Dashboard (System -> Dashboards) and remove the Configuration Check widget.

2. Rename that readme.txt file. (I think this would work, but it would be undone by every MODX upgrade).

3. Move the core above the web root. This would be my choice. I feel safer with the whole core absolutely inaccessible from the web and in a location few hackers would look for it. It's not difficult to do. You only have to do it once. UpgradeMODX will still work. And you can create a Media Source that lets you still see and edit the core files on the Files tab in the Manager.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

☆ A M B ☆
3,141 Posts

Mark Hamstra Reply #6, 6 years, 10 months ago

That's indeed the config check widget to see if your core folder is accessible or not. The error is being logged by apache in the apache log, not MODX, which is a bit annoying but actually a good sign that your MODX core folder is secured, and that attempts to access it are being logged.

Mark Hamstra • Developer spending his days working on Premium Extras and a MODX Site Dashboard with the ability to remotely upgrade MODX and extras to make the MODX world a little better.

Tweet me @mark_hamstra, check my infrequent blog at markhamstra.com, my slightly more frequent ramblings at MODX.today or see code at Github.