We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

MODx Security Fix [for 0.9.1]

    • 21255
    • 215 Posts
    netnoise Reply #11, 18 years, 1 month ago
    What is "ModX v0.9.O_Free_Edition" huh
      Write secure snippets!
      Lock down your server!
    • sottwell Reply #12, 18 years, 1 month ago
      I think it’s an edition where the installer was patched to handle the French mysql error messages for the French "Free" hosting service. Davidm knows more about it.
        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org
        • 33175
        • 711 Posts
        Yogui3 Reply #13, 18 years, 1 month ago
        It is right, Sottwell.

        Free is a french hoster which hosts website for free. The space drive is big (1Go I think). There are some limitations and most of the CMS (or other php site build) don’t work naturally with Free. So it is necessary to patch this application.
          Sorry for my english. I'm french... My dictionary is near me, but it's only a dictionary !
          • 2545
          • 15 Posts
          axiome Reply #14, 18 years, 1 month ago
          Thank you very much for your responses.
          I confirm, Free is a host and it offer 1 Go like web space.
          Sorry for my english
            • 6726
            • 7,075 Posts
            davidm Reply #15, 18 years, 1 month ago
            Quote from: sottwell at Apr 21, 2006, 08:40 PM
            I think it’s an edition where the installer was patched to handle the French mysql error messages for the French "Free" hosting service. Davidm knows more about it.

            You can find the Free Edition thread here. Of course, it’s in french, but you’ll see there that this version has been downloaded almost 600 times....

            Actually the problem with MySQL error message happened with all french host set up to display error message in French (with is now solved with the mysql Errno fix) ... Free was another problem which you helped me fix, Susan :
            chmod "locked" by hosting at 700 and 644 : possible to run MODx ?

            You might not remember but you helped me fix all the includes path, a pretty daunting task which I never updated for 0.9.1

            Would it be fair to guess that patching MODx 0.9.0 document.parser.class is perfectly safe ?
            Didn’t check but was there a change here between 0.9.0 and 0.9.1 ?
              .: COO - Commerce Guys - Community Driven Innovation :.

              MODx est l'outil id
              • 21255
              • 215 Posts
              netnoise Reply #16, 18 years, 1 month ago
              If you’re currently using version 0.9.0, you should also apply this patch, to avoid a XSS vulnerability that has been fixed in 0.9.1.
                Write secure snippets!
                Lock down your server!
                • 6726
                • 7,075 Posts
                davidm Reply #17, 18 years, 1 month ago
                Thanks for the tip Timon, I had forgotten about this...

                I’ll post something to have MODx 0.9.0 "Free Edition" users patch their installs.
                And I’ll patch the package so that new downloads are covered smiley
                  .: COO - Commerce Guys - Community Driven Innovation :.

                  MODx est l'outil id
                • sottwell Reply #18, 18 years, 1 month ago
                  Quote from: davidm at Apr 21, 2006, 09:51 PM

                  Would it be fair to guess that patching MODx 0.9.0 document.parser.class is perfectly safe ?
                  Didn’t check but was there a change here between 0.9.0 and 0.9.1 ?

                  It’s not that difficult to patch any version. The pre-.9 versions use a slightly different function, but the switch is much the same, and it’s not at all hard to add the validity checks. I did it a bit differently; instead of the cryptic NaN message I just throw the would-be hacker back to the home page. I would feel better about if if the security gurus would verify that this will solve the problem.

                  FOR PRE-0.9x INSTALLS ONLY!!!! DO NOT APPLY THIS PATCH TO A 0.9X INSTALLATION!!!
                  	function getDocumentIdentifier($method) {
	// function to test the query and find the retrieval method
		switch($method) {
			case "alias" :
				return mysql_escape_string($_REQUEST['q']);
				break;
			case "id" :
			  if(is_numeric($_REQUEST['id'])) {
				    return $_REQUEST['id'];
				} else {
				    return $this->config['site_start'];
				}
				break;
			case "none" :
				return $this->config['site_start'];
				break;
			default :
				return $this->config['site_start'];
		}
	}
                    Studying MODX in the desert - http://sottwell.com
                    Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                    Join the Slack Community - http://modx.org
                    • 21255
                    • 215 Posts
                    netnoise Reply #19, 18 years, 1 month ago
                    Even if it sounds paranoic grin it’s important to use:
                    return intval($_REQUEST['id']);
                      Write secure snippets!
                      Lock down your server!
                    • sottwell Reply #20, 18 years, 1 month ago
                      Quote from: netnoise at Apr 22, 2006, 09:31 AM

                      Even if it sounds paranoic grin it’s important to use
                      return intval($_REQUEST['id']);

                      So that should be
                      case "alias" :
return intval($_REQUEST['q']);
break;
                        Studying MODX in the desert - http://sottwell.com
                        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
                        Join the Slack Community - http://modx.org

                      This discussion is closed to further replies. Keep calm and carry on.