Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XXE Vulnerability #15237

Closed
dahua966 opened this issue Sep 16, 2020 · 7 comments · Fixed by #15238
Closed

XXE Vulnerability #15237

dahua966 opened this issue Sep 16, 2020 · 7 comments · Fixed by #15238

Comments

@dahua966
Copy link

dahua966 commented Sep 16, 2020

snipped

@Mark-H
Copy link
Collaborator

Mark-H commented Sep 16, 2020

The email is security@modx.com. I'm not sure about that form (will get that checked), but publicly posting vulnerability details rather than asking somewhere on how to privately disclose if the first avenue doesn't work is... a little disappointing.

@Mark-H
Copy link
Collaborator

Mark-H commented Sep 16, 2020

The security report form seems to work as expected, test email sent and arrived.

@Ruslan-Aleev
Copy link
Collaborator

It seems to me that @dahua966 is talking about the page that is listed in the template for "Report a security vulnerability" on github. There is a page listed - https://modx.com/community/contribute/report-a-security-issue and it doesn't work.

@Mark-H
Copy link
Collaborator

Mark-H commented Sep 16, 2020

@jaygilmore / @rthrash can you get the old URL https://modx.com/community/contribute/report-a-security-issue to redirect to the new form at https://modx.com/about/security-reports?

@Ruslan-Aleev Where are you seeing that URL on? I'm only seeing a reference to security@modx.com in the CONTRIBUTING.md.

@Ruslan-Aleev
Copy link
Collaborator

Ruslan-Aleev commented Sep 16, 2020

@Mark-H In the file https://github.com/modxcms/revolution/security/policy, you can go to it when creating a security issue.

security

@Mark-H
Copy link
Collaborator

Mark-H commented Sep 16, 2020

Ah, there it is. Fixed, thanks.

@Mark-H
Copy link
Collaborator

Mark-H commented Sep 16, 2020

Fixed in #15238 - @dahua966 if you want to take a look at that and confirm it resolves it that would be appreciated.

Mark-H added a commit to Mark-H/revolution that referenced this issue Sep 18, 2020
…e libxml entity loader [modxcms#15237]

The libxml_disable_entity_loader function is deprecated in PHP8, and the entity loader is automatically enabled on v2.9.0+ of libxml which may have been used pre-PHP8 as well. PHP8 comes with at least v2.9.0+ of libxml bundled, so this conditional covers both scenarios.

Ref: php/php-src#5867
opengeek added a commit that referenced this issue Sep 21, 2020
Merge remote-tracking branch 'origin/pr/15238' into 2.x

* origin/pr/15238:
  Prevent potential XXE vulnerability in modRestService by disabling the libxml entity loader [#15237]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants