XSS problem with QM+ plugin on modx 1.0

98 Posts

smallworld Reply #11, 14 years, 7 months ago

Dear Ryan,Lammikko,soushi and all other staff

This is Nick, a moderator of Japanese community.

I’d like to summarize this discussion and follow soushi’s opinion.
(Because we, Japanese members are not so good at English, and we’d like to confirm our policy)

I understand that we talked like this;

・soushi found the XSS issue on QM+ plugin(and it is included in modx 1.0, latest available ver.)

・Lammikko has examined it and reportede the issue to JIRA with modified files

・soushi demanded that it should be adapted to modx’s latest version ASAP, and release it as a fixed package

・Ryan asked to soushi about his demanding(I guess that his comment was a little difficult to understand)

・soushi said that fixed program files should be adapted to the latest version and announce it to all modx users.

How about? Is my understanding right?

-------------------------

We Japanese community members laked about this issue, and we, all, would really like to request that the fixed program should be adapted ASAP. We think it’s a bit dull work, but we want modx to be safety cms system, and issues such as XSS should be modified soon.

Please give a thoughtful conclusion and make it soon.

Sincerely,

Nick of Tokyo, Japan.

Dancing Moderator(踊るモデレーター)

Running Moderator(走るモデレーター)

MODX Staff
12,272 Posts

Ryan Thrash Reply #12, 14 years, 7 months ago

Hello Nick,

(I think it’s safe to say you and Soushi need no introductions when making posts any longer.

)

Your summary is correct. We’re working on a security and bugfix release imminently, based on the original 1.0 release. You can view the issue list for it here:
http://svn.modxcms.com/jira/secure/IssueNavigator.jspa?reset=true&mode=hide&sorter/order=DESC&sorter/field=priority&resolution=-1&pid=10001&fixfor=10132
(of note, issue 206 is addressed but can be further improved by adding tokens to all requests in the Manager. We’re evaluating if this will be done for the 1.0.1 release).

The changelog from the 1.0 release can be browsed here: http://svn.modxcms.com/crucible/changelog/modx/branches/1.0.1

Any other urgent or important updates requested from the Japanese community that should be included?

Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me

634 Posts

Lammikko Reply #13, 14 years, 7 months ago

QuickManager+ version 1.3.3 is now ready: http://modxcms.com/forums/index.php/topic,40588.msg245595.html#msg245595

Added today one more change as Ryan suggested: A fallback to English if the languages are missing in the Manager/user settings

I’ll add version 1.3.3 to the public QuickManager+ support thread and submit it to repository too.

It’s advised to upgrade QuickManager+ to version 1.3.3 or at least apply soushis patch for earlier versions:

1. Open file "assets/plugins/qm/close.php"

2. Replace lines

// Get parameters
if (isset($_GET['id'])) $id = $_GET['id'];
if (isset($_GET['baseurl'])) $baseurl = $_GET['baseurl'];
if (isset($_GET['action'])) $action = $_GET['action'];

with

// Get parameters
$id = isset($_GET['id']) && preg_match('/^[0-9]+$/',$_GET['id']) ? $_GET['id']:'1';
$baseurl = isset($_GET['baseurl']) && !preg_match('/^[ \t]*https?:\/\//i',$_GET['baseurl']) ? htmlspecialchars($_GET['baseurl'],ENT_QUOTES):'/';
$action = isset($_GET['action']) ? $_GET['action']:'';

I don’t want go to solo so I’ll let the MODx core team to decide how to handle the public infomationing of this possible security vurnelability.

Mikko Lammi, Owner at Maagit

MODX Staff
12,272 Posts

Ryan Thrash Reply #14, 14 years, 7 months ago

Thanks Mikko, latest tweaks committed now.

Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me

164 Posts

soushi Reply #15, 14 years, 7 months ago

Dear Ryan,Lammikko,Nick

We released the announcement and the patch of this XSS vulnerability on modx Japanese user’s website

http://modxcms-jp.com/news/2009-1019.html (in Japanese)

Sincerely yours,
soushi

MODX Staff
12,272 Posts

Ryan Thrash Reply #16, 14 years, 7 months ago

Quote from: soushi at Oct 19, 2009, 03:45 PM

We released the announcement and the patch of this XSS vulnerability on modx Japanese user’s website

Just to make sure I understand 100%, this announcement is for the fixes included here, and that are a part of the pending 1.0.1 release, correct?

Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me

☆ A M B ☆
1,231 Posts

yama Reply #17, 14 years, 7 months ago

hello, ryan

Quote from: rthrash at Oct 19, 2009, 11:42 PM

Quote from: soushi at Oct 19, 2009, 03:45 PM

We released the announcement and the patch of this XSS vulnerability on modx Japanese user’s website

Just to make sure I understand 100%, this announcement is for the fixes included here, and that are a part of the pending 1.0.1 release, correct?

We announced three measures for modx user.

1. Update QM+, than version 1.3.3 over (current new)

2. Apply a revision patch (only close.php over write)
http://modxcms.com/forums/index.php/topic,40588.msg245471.html#msg245471
http://code.google.com/p/modx-ja/downloads/detail?name=patch_modx-1.0.0J_qm.zip

3. Delete QM+

and,

http://code.google.com/p/modx-ja/downloads/detail?name=modx-1.0.0J-p1.zip

We released the evo "1.0-patch1" that replaced only a close.php.

We thought it to be should offer simple prescription quickly to keep the security of the user.
We distribute this till ver 1.0.1 are released.