We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered php_flag session.auto_start breaks security

    • 42057
    • 10 Posts
    pkorsukov Reply #1, 9 years, 1 month ago
    Hi All,

    I have noticed a very strange (and dangerous?) behavior on MODX manager. If I use Apache to host MODX and enable a session auto start via .htaccess then any registered users can log in to MODX manager without any security checks. 
    php_flag session.auto_start 1

    It is reproducible on 2 servers for me. Event if user have no roles at all the MODX allows to come in.

    When I disable the flag and restart Apache everything working as expected except for Personalize which not showing the user specific content for the home page but shows it for others. This one it the FURLs problem I believe.

    Please help with this security issue. I found no information whether the auto_start flag is breaking all website security.
    Thank you for any help!

    Kind regards,
    Pavel

    This question has been answered by pkorsukov. See the first response.

    • sottwell Reply #2, 9 years, 1 month ago
      On my localhost installation, that just breaks the Manager login altogether. The login form page just reloads.
        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org
        • 42057
        • 10 Posts
        pkorsukov Reply #3, 9 years, 1 month ago
        After the research I found that my site_url system setting is set to http://domain/en/ which causes PHP session cookies to have path = /en/.
        The invalid PHP session path breaks authorization and Personalize for home page if auto_start = 0.

        So, it looks like cookie path /en/ plus auto_start = 1 allows a user to log into manager bypassing security. Can anyone check it?

        Here is the way to reproduce it:
        update modx_context_setting
set `value`='http://localhost/en/'
where `context_key`='web' and `key`='site_url';

update modx_context_setting
set `value`=''
where `context_key`='web' and `key`='session_cookie_path';


        In .htaccess I use a rewrite rule
        RewriteRule ^(en/)?(.*)$ index.php?q=$2 [L,QSA]

php_flag session.auto_start 1
        • sottwell Reply #4, 9 years, 1 month ago
          I presume that you are not logged in to the Manager at the same time you are logging in as the 'web' user?
            Studying MODX in the desert - http://sottwell.com
            Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
            Join the Slack Community - http://modx.org
            • 42057
            • 10 Posts
            pkorsukov Reply #5, 9 years, 1 month ago
            No. For testing I start a private browser session and log in with the test account. In my understanding any other sessions should not affect the current one even if somebody already logged in `mgr` context.
            • sottwell Reply #6, 9 years, 1 month ago
              Humor me, try it with a different browser altogether, or logging out of the Manager first.
                Studying MODX in the desert - http://sottwell.com
                Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                Join the Slack Community - http://modx.org
              • discuss.answer
                • 42057
                • 10 Posts
                pkorsukov Reply #7, 9 years, 1 month ago
                Not sure what you mean. The test was done after the log out. Anyway, I have upgraded to 2.3.3, removed the .htaccess flag and now it is working. Thank you for your thoughts.