Secure Web Pages Inaccessible Following Upgrade to Evo 1.0.14

Following a recent update to 1.0.14, web pages which were secured using the MODx security manager are inaccessible. They operated properly before the upgrade. When attempting to login to these pages using the proper web user credentials, one of two error messages is displayed: (1) just a blank page with "Error" in the upper left (seems like a PHP default error), or (2) the following Wayfinder error (which looks like bad SQL):

« MODX Parse Error »

MODX encountered the following error while attempting to parse the requested resource:

« Execution of a query to the database failed - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '&outerClass=' at line 1 »

SQL > SELECT DISTINCT DISTINCT sc.id, sc.menutitle, sc.pagetitle, sc.introtext, sc.menuindex, sc.published, sc.hidemenu, sc.parent, sc.isfolder, sc.description, IF(sc.alias='', sc.id, sc.alias) AS alias, sc.longtitle, sc.type,if(sc.type='reference',sc.content,'') as content, sc.template, sc.link_attributes FROM `mydomain_mod1`.`modx_site_content` sc LEFT JOIN `mydomain_mod1`.`modx_document_groups` dg ON dg.document = sc.id WHERE sc.published=1 AND sc.deleted=0 AND (sc.privateweb=0 OR dg.document_group IN (76)) AND sc.hidemenu=0 AND sc.id IN (1289,47,53,54,55,58,56,57,59,60,61,747,1383,621,1589,48,62,63,64,67,66,65,1478,5,49,68,69,70,2459,2570,2708,297,966,7,50,2369,1858,75,2451,1607,2353,74,76,1856,73,1098,1097,51,80,81,82,11,52,1227,1277,1,1860,2374,2758,1321,2346,2348,2347,4,37,46,1737,1224,6,91,1214,1211,1994,1956,89,1213,1212,92,1611,1620,1615,1621,1612,1617,1613,1919,2379,2745,2748,2749,2747,2746,2750,1932,2759) GROUP BY sc.id ORDER BY sc.menuindex ASC LIMIT 0, &outerClass=

Basic info
REQUEST_URI : http://www.mydomain.org/director-resources.html
Resource : [2379]Director Resources
Current Snippet : Wayfinder
Referer :
User Agent : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
IP : 198.143.37.1
Benchmarks
MySQL : 0.0083 s (5 Requests)
PHP : 0.0957 s
Total : 0.1040 s
Memory : 10.4032516479 mb

Backtrace
1 DocumentParser->executeParser()
index.php on line 144
2 DocumentParser->prepareResponse()
manager/includes/document.parser.class.inc.php on line 1579
3 DocumentParser->parseDocumentSource()
manager/includes/document.parser.class.inc.php on line 1666
4 DocumentParser->evalSnippets()
manager/includes/document.parser.class.inc.php on line 1461
5 DocumentParser->_get_snip_result()
manager/includes/document.parser.class.inc.php on line 1060
6 DocumentParser->evalSnippet()
manager/includes/document.parser.class.inc.php on line 1147
7 eval()
manager/includes/document.parser.class.inc.php on line 1009
8 require()
manager/includes/document.parser.class.inc.php(1009) : eval()'d code on line 1
9 Wayfinder->run()
assets/snippets/wayfinder/snippet.wayfinder.php on line 97
10 Wayfinder->getData()
assets/snippets/wayfinder/wayfinder.inc.php on line 61
11 DBAPI->select()
assets/snippets/wayfinder/wayfinder.inc.php on line 428
12 DBAPI->query()
manager/includes/extenders/dbapi.mysql.class.inc.php on line 243

I have tried reloading Wayfinder from the 1.0.14 package and updating the Wayfinder snippet to no effect. I tested a new web user, group, resource group to no avail so the problems not just with "old" content.

Perhaps unrelated, but I have also found that the Delete button is disabled for all element types (none are restricted to Role ID = 1).

The site was running Evo 1.0.4 and was hacked [Ya, I know - way outta date. It's a non-profit I help when they get in a jamb. I reverted the site to a good backup, installed much tighter security and did the upgrade to 1.0.14.] The site currently runs Evo 1.0.14, PHP 5.2.17 (according to MODx System Info though it's 5.4.24 on CPanel) on an Apache 2.2.27 server.

What's my best option here: (1) reinstall MODx 1.0.14 from scratch, (2) reinstall the upgrade (not even sure I can since it's upgraded to 1.0.14 already, (3) something else? If I reinstall from scratch, what can I do to avoid having to reload all the client's assets (images, docs, files, etc.)? They have thousands of files. I'm concerned a full reinstall would wipe a lot of client files which I'd have to reload from backup.

Your help is greatly appreciated. I'm not fluent with the deep workings of MODx.

3 initial thoughts
- See if your hosting company will let you run PHP 5.3 on the server
- If NOT try this http://forums.modx.com/thread/84905/error-types-and-php-5-3-e-deprecated-and-e-user-deprecated#dis-post-500970
- If you revert back you can secure the site by patching, deleting files + plugins and restrict direct access to php files. You have to go through the changelog and find the code changes (github). This is of course NOT the ideal solution.

Great Stuff: https://www.apachefriends.org/index.html

You can always reinstall MODX over top of itself. It's quite possible that there have been significant changes to extras over time. It's also possible that Wayfinder for evo was changed at some point between 1.0.4 and now.

Quote from: sitecoder at Jun 23, 2014, 06:47 PM

I have tried reloading Wayfinder from the 1.0.14 package and updating the Wayfinder snippet to no effect.

What if you try Wayfinder 2.0.1 and NOT the newest version!

Wayfinder 2.0.2 seems to cause issues: http://forums.modx.com/thread/91469/hostgator-shutdown-site-for-high-cpu-abuse-after-upgrade-to-1-0-14#dis-post-501315

Well, I've tried the 2.0.0 and 2.0.1 versions of Wayfinder with no change. I'll try a full MODx 1.0.14 install from the ground up tonight. Hopefully that will clear up any code incompatibilities. Given that the site manager seems to have some other issues (disabled "delete" button in elements editor) this may be the best path anyway.

Thanks for the ideas everyone. I appreciate your time to respond. I'll let you know how it goes.

Think you have an error in your Wayfinder call in (2).

Probably the &limit parameter does not have any backticks (`) around the value or the closing backtick is missing. This way the next parameter &outerClass= is used as value for limit.

SOLVED - There were two issues:

1. Reinstalling MODx 1.0.14 from scratch seems to have cured the web access issue from other secured pages.
2. There was a Wayfinder call error which was causing the detailed error above. Oddly it worked fine before but the upgrade seems to be a bit more stringent on the Wayfinder code syntax - thus the problem after the initial upgrade.

Thank you again for all your input. I really appreciate the assistance!