Prevent path traversal in modConnectorResponse action param #13173

Closed
wants to merge 1 commit into
from

Projects

None yet

4 participants

@opengeek
Member

What does it do?

Prevents path traversal in the action parameter of modConnectorResponse.

Why is it needed?

To prevent users from accessing processors in unintended locations.

Related issue(s)/PR(s)

Not applicable.

Thanks to @Fi1osof for a security report describing the problem and the solution.

@opengeek opengeek added this to the v2.5.2 milestone Nov 13, 2016
@azernov
azernov commented Nov 14, 2016

What about modx.config.js.php and processor config.js.php? He will be never found.

@Mark-H
Collaborator
Mark-H commented Nov 14, 2016

Merged into 2.5.x 9f16dbb

@Mark-H Mark-H closed this Nov 14, 2016
@Mark-H Mark-H reopened this Nov 14, 2016
@opengeek
Member

Good point @azernov — we will have to improve the regex a bit...

@azernov
azernov commented Nov 14, 2016

@opengeek As i remember - config.js.php - is one processor with dot in name. May be it will be simpler to rename it to configjs.php?

@Mark-H
Collaborator
Mark-H commented Nov 14, 2016

There's also lang.js.php, but that's all of them these days. We managed to get a slightly different regex to work though, see befef7e and let me know if you see any further issues with that.

@Mark-H Mark-H closed this Nov 14, 2016
@Mark-H Mark-H added a commit to Mark-H/revolution that referenced this pull request Nov 14, 2016
@Mark-H Mark-H Prevent path traversal in $modx->runProcessor
Similar to the patch in #13173, however specifically for processors executed via $modx->runProcessor. It's a lot harder to execute a successful path traversal through $modx->runProcessor as it's typically only used server-side without accepting user input. But, here you go.
6040f64
@opengeek opengeek added a commit that referenced this pull request Nov 14, 2016
@opengeek opengeek Merge branch '2.5.x' into 2.x
* 2.5.x:
  MODX Revolution 2.5.2-pl
  [SECURITY] Hide critical settings in MODx.config [#13170]
  Prevent local file inclusion/traversal/manipulation
  Prevent path traversal in $modx->runProcessor
  Prevent unauthenticated access to processors
  Force all scalar expressions to be a primary key
  Fix path traversal regex to allow modx.config.js.php to still work #13173 (comment)
  Update changelog and build properties for 2.5.1 release
  Update changelog
  Remove statement causing loop in unit tests
  Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
  Revert "Fix getObject to prevent raw SQL string from being used as PK criteria"
  Fix isValidClause check for certain injections
  Revert the breaking change related to xPDOQuery->sortby (067cb74), while keeping the fixes for sort direction and limit.
  Prevent path traversal in modConnectorResponse action param
  Add catch-all SQL Injection Detection to xPDOQuery->prepare
  SQL injections in ORDER BY and LIMIT clauses
  Possible fix for blind SQL injection
43c4615
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment