On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Not sure if this is indeed a bug....so I figured it should go in the Core Development section. Just wondering if anyone saw this post on the Etomite forum:

    http://www.etomite.org/forums/index.php?showtopic=2772


    Without going into any specific details regarding this possbile threat, for security reasons, every Etomite installation using .htaccess should add the following lines to the .htaccess file in either their Etomite root directory or doc root... This issue has been brought to our attention and I have modified and tested this fix on my own server with and without FURL’s... This fix will be standard in the 0.6.1 release... These lines should be placed below RewriteEngine On...

    RewriteCond %{REQUEST_URI} ^.*\.idx$
    RewriteRule ^.*\.idx$ /404.html [L,QSA]
    



    This security issue was brought to our attention by Alberto Yon Valverde Gonz?lez... Alberto states that using RewriteRule ^.*\.idx$ /404.html [F,L] as being a better rewrite rule... On my server, however, the rewrite rule that I posted above seems to process more rapidly...

    Not sure what this really does...but from what I can tell, it looks like an extra rewrite rule that changes the URL of the 404 page. Probably a good idea at any rate. smiley

    Jeff
      Jeff Whitfield

      "I like my coffee hot and strong, like I like my women, hot and strong... with a spoon in them."
    • Actually, I believe that was addressed in a code update long ago. Raymond is even helping the Etomite folks with a couple of other security fixes he found and fixed at the same time as this! laugh
        Ryan Thrash, MODX Co-Founder
        Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
      • Heh heh! Figures! wink
          Jeff Whitfield

          "I like my coffee hot and strong, like I like my women, hot and strong... with a spoon in them."
        • Quote from: Bravado at Jul 12, 2005, 07:30 PM

          Not sure what this really does...but from what I can tell, it looks like an extra rewrite rule that changes the URL of the 404 page. Probably a good idea at any rate. smiley
          It simply rewrites all requests for .idx files to the /404.html page.
            Johnny Chadda
            http://johnny.chadda.se
            "This is a UNIX virus. Please remove all your files and copy this message to friends."
          • That’s a big "DUH!" for me! Why didn’t I think of that? At first I thought,"IDX files?". Then it dawned on me...the siteCashe.idx file! Definitely a security risk! I’d probably do the same for .pageCache files as well. Even though there really isn’t anything in them too important, doesn’t hurt to be careful. wink
              Jeff Whitfield

              "I like my coffee hot and strong, like I like my women, hot and strong... with a spoon in them."
            • Quote from: Bravado at Jul 13, 2005, 09:45 PM

              That’s a big "DUH!" for me!? Why didn’t I think of that?? At first I thought,"IDX files?".? Then it dawned on me...the siteCashe.idx file!? Definitely a security risk!? I’d probably do the same for .pageCache files as well.? Even though there really isn’t anything in them too important, doesn’t hurt to be careful.? wink

              Well tha’s the way to go for Linux users but what about Windows users?

              The good news is that this security bug was fixed sometime ago in TP3. We have renamed the files to .php so no need for a ReWrite rule smiley

                xWisdom
                www.xwisdomhtml.com
                The fear of the Lord is the beginning of wisdom:
                MODx Co-Founder - Create and do more with less.