Dec 04, 2008, 01:06 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
Search via SMF or Google: modx forums all of modxcms.com web
  MODxCMS.com   Forums   Help Login Register  
Pages: [1] 2   Go Down
  Send this topic  |  Print  
Author Topic: MODx Security Fix [for 0.9.1]  (Read 18127 times)
0 Members and 1 Guest are viewing this topic.
netnoise
Coding Team
*
Posts: 212



WWW
« on: Apr 15, 2006, 11:46 AM »

This version of document.parser.inc.php fixes some issues in MODx which were published on yesterday.
Please update your current 0.9.1 MODx installations as soon a possible.


How to patch
Open manager/includes/document.parser.class.inc.php in your favourite text editor and replace the function "getDocumentIdentifier" with the code below.

Code:
  function getDocumentIdentifier($method) {
    // function to test the query and find the retrieval method
    $docIdentifier= $this->config['site_start'];
    switch($method) {
      case "alias" :
        $docIdentifier= $this->db->escape($_REQUEST['q']);
      break;
      case "id" :
        if(!is_numeric($_REQUEST['id'])) {
          $this->messageQuit("ID passed in request is NaN!");
        } else {
          $docIdentifier= intval($_REQUEST['id']);
        }
      break;
      default :
      break;
    }
    return $docIdentifier;
  }
« Last Edit: Jul 03, 2006, 04:36 AM by PaulGregory » Logged

jwtyler
Member
**
Posts: 93


Hacking with minimal knowledge


WWW
« Reply #1 on: Apr 15, 2006, 12:21 PM »

I must have missed it. What exactly was the security issue? Repatching all the paches into the parser is not something I look forward to.
Logged
netnoise
Coding Team
*
Posts: 212



WWW
« Reply #2 on: Apr 15, 2006, 01:59 PM »

I am a non windows user myself (but recoded it to DOS CR/LF as the original one is ;-)

Quote
Since the document.parser.class.inc.php you posted includes a bunch of other changes slated for the next release
Oupsie, please see updated posting on top.
« Last Edit: Apr 15, 2006, 02:12 PM by netnoise » Logged

vbrilon
Coding Team
*
Posts: 256



« Reply #3 on: Apr 15, 2006, 02:27 PM »

Groovy! Thanks again for the quick catch.
Logged

vbrilon
Coding Team
*
Posts: 256



« Reply #4 on: Apr 15, 2006, 02:29 PM »

I must have missed it. What exactly was the security issue? Repatching all the paches into the parser is not something I look forward to.

No need to do that. Just replace the one function above.
Logged

TobyL
Coding Team
*
Posts: 812



« Reply #5 on: Apr 18, 2006, 08:00 AM »

Nice one, thank you.

Can anyone tell me where the message "ID passed in request is NaN!" will find a place in the language file?  It will be in there at some stage won't it?  I'd like to make that update in an international installation without hardcoding the mesage in the parser class.

Oh, and a small coding question.  Does the
Code:
default :
      break;
server any purpose?  In my simple brain it doesn't make any difference to the flow if you leave it out so why is it there? Am I missing something?

Logged

rthrash
Foundation
*
Posts: 9,575



WWW
« Reply #6 on: Apr 18, 2006, 08:29 AM »

I think the default case is required. And thank you for pointing out the messages should probably go in the language files... can you log that  in our Bug (and Support/Feature request tracker), please?
Logged

MODx is a framework that allows web professionals to turn over sites to end-users for daily maintenance without worrying. Community participation and questions are encouraged, especially when you help us help you, read the wiki, and review snippet parameters – even if you have to look at the source. Searching the forums helps, too.
Ryan Thrash
MODx Co-Founder
Principal @ Collabpad
work productively.
work intelligently.
work together.
Nuker
Jr. Member
*
Posts: 11


I'm RUSSIAN!


« Reply #7 on: Apr 19, 2006, 06:34 AM »

if user type ./index.php?id=24blablabla in address field then it's get error message about NaN resource.

May'be this code right?  User get only 404 page.
Code:
/*cut*/
     if(!is_numeric($_REQUEST['id'])) {
      $docIdentifier= 0;
/*paste*/
Logged
sottwell
Documentation Team
*
Posts: 8,170



WWW
« Reply #8 on: Apr 19, 2006, 06:37 AM »

I just set it to return to the home page. No fuss, no bother.
Logged

sottwell.com has moved to a lovely Solaris 10 server!
Log in username guest, password guestuser.
Templates are now becoming available at http://sottwell.com/templates.html
axiome
Jr. Member
*
Posts: 14


« Reply #9 on: Apr 21, 2006, 03:26 PM »

On special version for free.fr (ModX v0.9.O_Free_Edition), this bug exist ?
Logged
netnoise
Coding Team
*
Posts: 212



WWW
« Reply #10 on: Apr 21, 2006, 03:34 PM »

What is "ModX v0.9.O_Free_Edition" Huh
Logged

sottwell
Documentation Team
*
Posts: 8,170



WWW
« Reply #11 on: Apr 21, 2006, 03:40 PM »

I think it's an edition where the installer was patched to handle the French mysql error messages for the French "Free" hosting service. Davidm knows more about it.
Logged

sottwell.com has moved to a lovely Solaris 10 server!
Log in username guest, password guestuser.
Templates are now becoming available at http://sottwell.com/templates.html
Guillaume
Moderators
*
Posts: 711


The future is built today.


« Reply #12 on: Apr 21, 2006, 03:55 PM »

It is right, Sottwell.

Free is a french hoster which hosts website for free. The space drive is big (1Go I think). There are some limitations and most of the CMS (or other php site build) don't work naturally with Free. So it is necessary to patch this application.
Logged

Sorry for my english. I'm french... My dictionary is near me, but it's only a dictionary !
axiome
Jr. Member
*
Posts: 14


« Reply #13 on: Apr 21, 2006, 04:41 PM »

Thank you very much for your responses.
I confirm, Free is a host and it offer 1 Go like web space.
Sorry for my english
Logged
davidm
Marketing & Design Team
*
Posts: 6,777


The best way to predict the future is to invent it


WWW
« Reply #14 on: Apr 21, 2006, 04:51 PM »

I think it's an edition where the installer was patched to handle the French mysql error messages for the French "Free" hosting service. Davidm knows more about it.

You can find the Free Edition thread here. Of course, it's in french, but you'll see there that this version has been downloaded almost 600 times....

Actually the problem with MySQL error message happened with all french host set up to display error message in French (with is now solved with the mysql Errno fix) ... Free was another problem which you helped me fix, Susan :
chmod "locked" by hosting at 700 and 644 : possible to run MODx ?

You might not remember but you helped me fix all the includes path, a pretty daunting task which I never updated for 0.9.1

Would it be fair to guess that patching MODx 0.9.0 document.parser.class is perfectly safe ?
Didn't check but was there a change here between 0.9.0 and 0.9.1 ?
« Last Edit: Apr 21, 2006, 05:02 PM by davidm » Logged

.: nodeo.net : Pour un web libre, moderne et ouvert ! :: david-molliere.net : Suivez en "live" mes expérimentations et billets sur les CMS et autres applications web :.

*** Forums modxcms.fr Participez à l'élaboration du site MODx francophone ! ***

! Nouveau !  En live, ne manquez pas les news de modxcms.fr sur Twitter   ! Nouveau !

MODx est l'outil idéal pour les developpeurs et webdesigners qui cherchent un framework de gestion de contenu hautement flexible et performant, tout en étant simple d'accès pour les utilisateurs finaux.

Config : Apache 2.2.8 - MySQL 5.0.45 - PHP 5.2.6 | Debian 4.0 (Etch)

Réalisations sous MODx : | pargade-notaires.fr | soleil.info | gican.asso.fr | michelez-notaires.com | amadom.gerondicap.com | jocelyne-violet.net
Pages: [1] 2   Go Up
  Send this topic  |  Print  
 
Jump to:  

Powered by MySQL Powered by PHP

Copyright © 2005-2008 MODxCMS, All rights reserved. Contact Us
Styles by ziworks.com

Powered by SMF 1.1.4 | SMF © 2005, Simple Machines LLC

Valid XHTML 1.0! Valid CSS!