QuickEdit doesn't work in new release?

I tried it using IE6.

Before I posted this, I also tried IE7 and FF3.

And guess what? In IE7 QuickEdit doesn’t work either, but in FF3 it works fine.

So it seems to be an IE issue (surprise)

Am I the only one experiencing this problem?

Is there anyting I can do to solve this?

Any thoughts?

Just keep the Validate HTTP_REFERER headers turned off.

Ah, well... already thought of that

But this option hasn’t been added for nothing, right?

Was just wondering if I’m the only one with this problem or all IE users have the same problem?

Would be nice if it could be solved of course

I’m searching the internet trying to find a solution.

As it turns out, it’s a problem that exists for several years, as you can see in this tread: http://www.webmaster-talk.com/php-forum/19149-_server-http_referer-fails-under-internet-explorer.html

I keep on searching. If I think I’ve found something, I will report it here.

*edit 1*
Found this information on the Microsoft site: http://support.microsoft.com/kb/178066

*edit 2*
Well, I keep finding the problem, but no real solutions.

According to some it’s just IE4+, according to others it could be environmental (firewalls and other security measures).

Many point out that validate HTTP_REFERER is not a real security measure, because it can easily be influenced client side, as you for instance can read here: http://seclists.org/webappsec/2005/q4/0289.html

So, I guess turning this option off isn’t going to be a big issue

Had the same problem just on IE and setting http refers to off works fine. Is there a risk?

As I pointed out in my previous post, validate HTTP_REFERER can easily be influenced from the client side.

So, it wouldn’t be that difficult for hackers to crack this security measure.

To my opinion turning off this option wouldn’t increase the security risk.

Quote from: WeBe at Feb 02, 2009, 08:24 AM

As I pointed out in my previous post, validate HTTP_REFERER can easily be influenced from the client side.

So, it wouldn’t be that difficult for hackers to crack this security measure.

This is true, though it can prevent a majority of XSS attacks.

Quote from: WeBe at Feb 02, 2009, 08:24 AM

To my opinion turning off this option wouldn’t increase the security risk.

The only security risk we had before this feature was introduced was if one of your editors was logged into the manager and got tricked into visiting a malicious web site and clicking a link back into the manager that say, deleted a document, or executed some other action directly that the editor never intended. So it’s really dependent on your editors and their knowledge of/ability to avoid such scams.

Additional security measures will be implemented in future releases to render these XSS attempts futile, regardless of the HTTP_REFERER headers.

Hi, today I´ve noticed the same problem in my 0.9.6.3 installation. AND my manager shows up the same message through all framed parts (header/navi/content). Thats the biggest problem for me, because for that reason I can´t walk through the settings to turn off validate HTTP_REFERER.
Can anybody tell me how I can find the according entry and value in the modx Database? Please help me out of this!

Oh and I use Firefox 3.0.8 on a mac

Quote from: nixdesigner at Mar 30, 2009, 03:19 PM

Hi, today I´ve noticed the same problem in my 0.9.6.3 installation. AND my manager shows up the same message through all framed parts (header/navi/content). Thats the biggest problem for me, because for that reason I can´t walk through the settings to turn off validate HTTP_REFERER.
Can anybody tell me how I can find the according entry and value in the modx Database? Please help me out of this!

Oh and I use Firefox 3.0.8 on a mac

In the {modx_}system_settings table you will find a record with the setting_name of ’validate_referer’; change the setting_value to 0. However, now you need to reload/edit the cache; you can upload the install/ and run an upgrade OR edit the same value in your assets/cache/siteCache.idx.php file so that you can get into the manager and clear the cache. The value in siteCache.idx.php will look something like this:

which you will want to change simply to: