You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The httpoxy vulnerability (https://httpoxy.org/) might have an impact on MODX or extras, depending on server configuration. This can not be mitigated from PHP, but for apache a htaccess blob can help protect against it so we could include that in the default ht.access.
Observed behavior
Certain aspects of MODX or third party components might be vulnerable. While I don't think MODX or the extras would be to blame, we can help guide people a little bit by adding mitigation into the standard ht.access file in the download.
Expected behavior
The following snippet could be included in the distributed ht.access, which would then automatically be applied when people set up friendly urls with it:
It'd probably need to have some comments explaining why it's necessary
Environment
The snippet above is specific to Apache, taken from the official recommendations at https://httpoxy.org/#fix-now which also has snippets for nginx and others.
The text was updated successfully, but these errors were encountered:
I would argue this issue should be handled by your host. Adding this seems like a slippery slope, at what point do you stop adding security fixes to the .htaccess and make the host accountable?
I know cPanel added the fix, so any cPanel hosts that update their systems will be protected. If they don't update I would consider looking elsewhere.
Summary
The httpoxy vulnerability (https://httpoxy.org/) might have an impact on MODX or extras, depending on server configuration. This can not be mitigated from PHP, but for apache a htaccess blob can help protect against it so we could include that in the default ht.access.
Observed behavior
Certain aspects of MODX or third party components might be vulnerable. While I don't think MODX or the extras would be to blame, we can help guide people a little bit by adding mitigation into the standard ht.access file in the download.
Expected behavior
The following snippet could be included in the distributed ht.access, which would then automatically be applied when people set up friendly urls with it:
It'd probably need to have some comments explaining why it's necessary
Environment
The snippet above is specific to Apache, taken from the official recommendations at https://httpoxy.org/#fix-now which also has snippets for nginx and others.
The text was updated successfully, but these errors were encountered: