Security Fix?

1,131 Posts

Bravado Reply #1, 18 years, 9 months ago

Not sure if this is indeed a bug....so I figured it should go in the Core Development section. Just wondering if anyone saw this post on the Etomite forum:

http://www.etomite.org/forums/index.php?showtopic=2772

Without going into any specific details regarding this possbile threat, for security reasons, every Etomite installation using .htaccess should add the following lines to the .htaccess file in either their Etomite root directory or doc root... This issue has been brought to our attention and I have modified and tested this fix on my own server with and without FURL’s... This fix will be standard in the 0.6.1 release... These lines should be placed below RewriteEngine On...

RewriteCond %{REQUEST_URI} ^.*\.idx$
RewriteRule ^.*\.idx$ /404.html [L,QSA]

This security issue was brought to our attention by Alberto Yon Valverde Gonz?lez... Alberto states that using RewriteRule ^.*\.idx$ /404.html [F,L] as being a better rewrite rule... On my server, however, the rewrite rule that I posted above seems to process more rapidly...

Not sure what this really does...but from what I can tell, it looks like an extra rewrite rule that changes the URL of the 404 page. Probably a good idea at any rate.

Jeff

Jeff Whitfield

"I like my coffee hot and strong, like I like my women, hot and strong... with a spoon in them."

MODX Staff
12,272 Posts

Ryan Thrash Reply #2, 18 years, 9 months ago

Actually, I believe that was addressed in a code update long ago. Raymond is even helping the Etomite folks with a couple of other security fixes he found and fixed at the same time as this! laugh

Ryan Thrash, MODX Co-Founder
Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me

1,131 Posts

Bravado Reply #3, 18 years, 9 months ago

Heh heh! Figures! wink

Jeff Whitfield

"I like my coffee hot and strong, like I like my women, hot and strong... with a spoon in them."

19 Posts

zeth Reply #4, 18 years, 9 months ago

Quote from: Bravado at Jul 12, 2005, 07:30 PM

Not sure what this really does...but from what I can tell, it looks like an extra rewrite rule that changes the URL of the 404 page. Probably a good idea at any rate.

It simply rewrites all requests for .idx files to the /404.html page.

Johnny Chadda
http://johnny.chadda.se
"This is a UNIX virus. Please remove all your files and copy this message to friends."

1,131 Posts

Bravado Reply #5, 18 years, 9 months ago

That’s a big "DUH!" for me! Why didn’t I think of that? At first I thought,"IDX files?". Then it dawned on me...the siteCashe.idx file! Definitely a security risk! I’d probably do the same for .pageCache files as well. Even though there really isn’t anything in them too important, doesn’t hurt to be careful. wink

Jeff Whitfield

"I like my coffee hot and strong, like I like my women, hot and strong... with a spoon in them."

1,732 Posts

xwisdom Reply #6, 18 years, 9 months ago

Quote from: Bravado at Jul 13, 2005, 09:45 PM

That’s a big "DUH!" for me!? Why didn’t I think of that?? At first I thought,"IDX files?".? Then it dawned on me...the siteCashe.idx file!? Definitely a security risk!? I’d probably do the same for .pageCache files as well.? Even though there really isn’t anything in them too important, doesn’t hurt to be careful.?

Well tha’s the way to go for Linux users but what about Windows users?

The good news is that this security bug was fixed sometime ago in TP3. We have renamed the files to .php so no need for a ReWrite rule

xWisdom
www.xwisdomhtml.com
The fear of the Lord is the beginning of wisdom:
MODx Co-Founder - Create and do more with less.