Hide some critical setting in MODx.config #13170

Closed
wants to merge 1 commit into
from

Projects

None yet

4 participants

@Fi1osof
Contributor
Fi1osof commented Nov 4, 2016 edited

What does it do?

Hide some system settings like table_prefix, pathes, dirs and passes.

Why is it needed?

Critical! This info allow process SQL-injection via MODx.Ajax

@Fi1osof Fi1osof changed the title from Update config.js.php to Hide some critical setting in MODx.config Nov 4, 2016
@Jako
Collaborator
Jako commented Nov 4, 2016

But you need manager credentials to access the processor. Are you sure that no core javascript uses any of those _path|_dir|pass settings?

@Mark-H
Collaborator
Mark-H commented Nov 4, 2016

Can you provide information about the security issue you mention to security@modx.com?

@Fi1osof
Contributor
Fi1osof commented Nov 4, 2016

@Juko when we authorized in manager we can find any select-promted processor.

Are you sure that no core javascript uses any of those _path|_dir|pass settings?

I sure. Only urls needed. pathes - its need on servers side

@Fi1osof
Contributor
Fi1osof commented Nov 4, 2016

@Mark-H sent.

@opengeek opengeek added a commit that referenced this pull request Nov 14, 2016
@opengeek opengeek [SECURITY] Hide critical settings in MODx.config [#13170]
- Update config.js.php
dd379ee
@opengeek opengeek added a commit that referenced this pull request Nov 14, 2016
@opengeek opengeek Merge branch '2.5.x' into 2.x
* 2.5.x:
  MODX Revolution 2.5.2-pl
  [SECURITY] Hide critical settings in MODx.config [#13170]
  Prevent local file inclusion/traversal/manipulation
  Prevent path traversal in $modx->runProcessor
  Prevent unauthenticated access to processors
  Force all scalar expressions to be a primary key
  Fix path traversal regex to allow modx.config.js.php to still work #13173 (comment)
  Update changelog and build properties for 2.5.1 release
  Update changelog
  Remove statement causing loop in unit tests
  Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
  Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
  Fix isValidClause check for certain injections
  Revert the breaking change related to xPDOQuery->sortby (067cb74), while keeping the fixes for sort direction and limit.
  Prevent path traversal in modConnectorResponse action param
  Add catch-all SQL Injection Detection to xPDOQuery->prepare
  SQL injections in ORDER BY and LIMIT clauses
  Possible fix for blind SQL injection
43c4615
@rtripault
Collaborator

This will break things for sure (see modxcms/Collections#220).

I'd rather type the critical (core) system settings rather than just ditch everything ending with _path or _dir

@Mark-H Mark-H added a commit to Mark-H/revolution that referenced this pull request Nov 16, 2016
@Mark-H Mark-H Remove path related settings from MODx.config, reverting part of #13170 e3fecc0
@Mark-H
Collaborator
Mark-H commented Nov 16, 2016

I'm closing this pull request as it was merged into 2.5.x; not sure why it didn't mark as closed automatically.

A fix for the comment from Romain above is now in #13180

@Mark-H Mark-H closed this Nov 16, 2016
@Mark-H Mark-H referenced this pull request Nov 24, 2016
Closed

Fix unpacking #13183

@opengeek opengeek added a commit that referenced this pull request Dec 16, 2016
@opengeek opengeek More specific removal of critical settings in MODX.config
Merge remote-tracking branch 'origin/pr/13180' into 2.5.x

* origin/pr/13180:
  Remove path related settings from MODx.config, reverting part of #13170
2351cc1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment