MODx CMF

Infinite loop possible during install

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 0.9.6.2, 0.9.6.3-rc1, 0.9.6.3-rc2, 0.9.6.3
  • Fix Version/s: Evolution-1.0.0-rc2
  • Component/s: Installation
  • Description:
    Hide

    Pardon me if I'm not doing this right or I am int wrong area, but I was invited to report this through a MODx forum posting (http://modxcms.com/forums/index.php/topic,29228.0.html) by a Coding Team member.

    My forum message: "Since this is a Release Support forum for version 0.9.6.2, I would make a note to viewers more qualified than myself to address this installation issue: The initial if block in install/index.php is weak in that if session handling is broken, the procedure to (1) set a session variable; (2) call itself; (3) test if the session variable exists; and (4) call itself again if the session variable does not exist leads to recursion with no hope for a break. As it did in my case."

    Show
    Pardon me if I'm not doing this right or I am int wrong area, but I was invited to report this through a MODx forum posting (http://modxcms.com/forums/index.php/topic,29228.0.html) by a Coding Team member. My forum message: "Since this is a Release Support forum for version 0.9.6.2, I would make a note to viewers more qualified than myself to address this installation issue: The initial if block in install/index.php is weak in that if session handling is broken, the procedure to (1) set a session variable; (2) call itself; (3) test if the session variable exists; and (4) call itself again if the session variable does not exist leads to recursion with no hope for a break. As it did in my case."
  • Environment:
    Windows XP; Firefox 3.0.3

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Phize added a comment - 03/Oct/08 9:48 PM

And it might become the cause of XSS vulnerability by 'echo' + $_SERVER['PHP_SELF'].
Using $_SERVER ['SCRIPT_NAME'] or 'htmlspecialchars()' + $_SERVER['PHP_SELF'] is more better.

Show
Phize added a comment - 03/Oct/08 9:48 PM And it might become the cause of XSS vulnerability by 'echo' + $_SERVER['PHP_SELF']. Using $_SERVER ['SCRIPT_NAME'] or 'htmlspecialchars()' + $_SERVER['PHP_SELF'] is more better.
Hide
Permalink
Jason Coward added a comment - 30/Dec/08 12:34 PM

I agree the system should just report an error and die if session handling is not valid in the environment.

Show
Jason Coward added a comment - 30/Dec/08 12:34 PM I agree the system should just report an error and die if session handling is not valid in the environment.

People

Dates

  • Created:
    30/Sep/08 5:00 PM
    Updated:
    11/Jul/09 9:06 AM
    Resolved:
    11/Jul/09 9:06 AM
Atlassian JIRA (v4.1.2#531) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for MODx CMS / xPDO. Try JIRA - bug tracking software for your team.