modx Japan フォーラム

Re: MODx デモサイト

2010-09-02T03:24:41+09:00

Evoデモサイトのバージョンを MODx Evolution 1.0.4J-r2 に変更しました

Re: MODx 1.0.4 日本語版 revision2のリリースを準備中です

2010-09-01T23:47:28+09:00

http://modxcms-jp.com/news/2010/0901.html
リリースしました。

Re: MODx 2.0 Revolution 日本語版のリリースを準備中です

2010-09-01T19:35:54+09:00

Revoデモサイトも2.0正式リリース版に差し替えました。

viewtopic.php?f=20&t=369

Re: MODx Revolution 2.0.0 デモサイト

2010-09-01T19:31:14+09:00

MODx Revoデモ環境をMODx Revolution 2.0.0Jに変更しました

Re: MODx 1.0.4 日本語版 revision2のリリースを準備中です

2010-09-01T17:37:57+09:00

すいません、もう一回RCを出します。

・アップデート可能な状態でない時は新規インストールのオプションのみ表示する
・インストールされるmm_rules.tplのチャンク名を「mm_rules」から「mm_demo_rules」に変更(アップデート時の上書き事故を防ぐため)
・管理画面内で用いるJavaScriptや画像を圧縮し軽量化
・管理画面のスタイルシートを圧縮。ローカルの計測値では1.5秒前後の読み込み時間が半分以下に短縮
・
...

Re: MODx 2.0 Revolution 日本語版のリリースを準備中です

2010-09-01T13:29:29+09:00

http://modxcms-jp.com/news/2010/0901-revo.html
RC2そのままでアーカイブ名だけ変更して正式リリースしました。今回は内外いろんな人のいろんな協力があって楽しかったです。ありがとうございました。

Re: 【要望】ファイル管理のファイルサイズ上限を超えた場合のエラー表示について

2010-09-01T08:02:09+09:00

soushi さんが書きました:max_execution_time：php実行のタイムアウト
max_input_time：POST等入力のタイムアウト

ヘルプのsupportタブに追加してみます。

kmikageさんのヒントに追加
http://php.net/manual/ja/ini.core.php

引用: POSTデータの大きさが、post_max_sizeより大きい場合、 $_POST と $_FILES

...

Re: 【要望】ファイル管理のファイルサイズ上限を超えた場合のエラー表示について

2010-09-01T03:29:12+09:00

soushiです。

関係するかもしれないので補足です。
データをPOSTして処理をする際、指定した時間が経過するとphpの処理が中断されます。
(HTTP500エラーを返すんでしたっけ…うろ覚えです)

phpの設定では以下が関係するところです。

max_execution_time：php実行のタイムアウト
max_input_time：POST等入力のタイムアウト

それ以外に上位にproxyがいると、そちらのタイムアウト設定も絡んでくるので少々面倒な場合もあるかもしれません。
ただ、最近は結構回線速度は速いのでよほど大きいサイズじゃない限りタイムアウトにはならないと思います。
...

Re: MODx 1.0.4 日本語版 revision2のリリースを準備中です

2010-09-01T03:16:33+09:00

soushiです。

phpの警告を画面に出力する設定を行っている場合に画面にエラーが表示され、MODx管理画面にログインできない問題を修正しました。

http://code.google.com/p/modx-ja/issues ... pe%20Owner

取り急ぎ報告まで。

Re: WebLoginPEについて教えてください。

2010-08-31T21:22:43+09:00

WebLoginPE132betaからWebLoginPE1.3.1にしたところ無事に表示する事が出来ました。
beta版だとエラーが出るみたいですがこの先もWebLoginPEを使っていても問題ないのでしょうか？
あと、日本語言語ファイルはもー存在しないのでしょうか？
とりあえず解決したので解決マーク付けときますね。

modxcms.com maintenance downtime (6PM CDT August 2, 2010)

2010-08-03T06:18:48+09:00

We are going to be attempting the first in a series of infrastructure upgrades starting this evening at 6PM CDT and lasting for about an hour. During this time, you will not be able to login to or use any of the services on modxcms.com or svn.modxcms.com that require a login, except for the forums; the forums will not be affected.

Sorry for any inconvenience this may cause you, but we think you'll like the coming improvements.

Re: The Revolution Starts Now

2010-07-22T08:11:26+09:00

A special thanks goes out to Jason and Shaun who've poured so much into this. Raise a glass to them and here's to the future of MODx! Thank you two from the bottom of my heart.

The Revolution Starts Now

2010-07-22T08:05:16+09:00

After years in development, thousands of hours and over a million dollars in bootstrapped funds, we are proud to announce the release of MODx Revolution 2.0.

What’s New

MODx Revolution is a completely new MODx. It retains the soul of what makes MODx a great platform for building custom websites and rich applications, while enabling you to do more and to do them better.

MODx Revolution 2.0 is more powerful, can handle high-volume sites, and offers the ability to handle multiple sites and subdomains from one install.

There are too many new features and improvements in MODx Revolution to list every single one, so here are some we think you’ll love. You can find out more by trying it out or by reviewing the changelog.

MODx Revolution 2.0 can be used on much larger and expansive sites as it boasts better site performance from an all new caching system with ...

MODx Revolution 2.0 RC-3 Released

2010-07-08T04:10:51+09:00

MODx Revolution 2.0 RC-3 Released!

The MODx Team would like you to know that MODx Revolution 2.0 RC-3 is out and ready for download.

This will be the final RC release. The next release will be 2.0.0-pl, the final GA release.

There are 2 versions available:
Traditional (modx-2.0.0-rc-3.zip) - For regular users and users who don't have root/sudo access to their machine.
Advanced (modx-2.0.0-rc-3-advanced.zip) - For those who want a smaller download and compressed install and have root/sudo access to their machine.

Note: Revolution 2.0 (since Beta-5) requires PHP 5.1.1 and above.

What's new in Revolution 2.0.0 RC-3? (Read the full announcement)

German and Russian translations available
Added Form Customization ability to add new tabs, move TVs into different tabs
Translating of snippet properties now available
Added ago, fuz...

JIRA Issue Tracker Upgrade / Read-Only

2010-06-26T02:22:31+09:00

FYI:

We are upgrading the JIRA issue tracking software today and the issues will be read-only for a while. Thanks for your patience while we improve our support infrastructure.

Cheers,

-Jason

AjaxSearch upgrades in Evolution 1.0.4

2010-06-10T06:48:27+09:00

For users who are upgrading to Evolution 1.0.4 and use AjaxSearch with many of the default parameters and CSS you should review this guide to the changes in AjaxSearch 1.9.0: http://modxcms.com/forums/index.php/topic,49555.msg289027.html#msg289027

If you are having issues after upgrading to 1.0.4 on a live site with AjaxSearch, please post any questions you may have in the AjaxSearch forum.

Evolution 1.0.4 Out Now [Release Notes]

2010-06-08T19:50:16+09:00

Release Notes - MODx CMF - Version Evolution-1.0.4

Bug

MODX-1487 - Error when configuring database on initial install process
MODX-1753 - Help page within manager display issue
MODX-1818 - datagrid view irregular font size on Chrome
MODX-1829 - Incomplete install of 1.0.3 when legacy template selected
MODX-1833 - incorr?ct drawing module parameters of 'list-multi' type
MODX-1856 - Embedded PHP tags not working in snippets
MODX-1865 - 1.02 to 1.03 Upgrade Error - Templates: Incorrect integer value
MODX-1876 ...

MODx Evolution SQL Injection Vulnerability

2010-06-08T06:59:22+09:00

Product: MODx Evolution
Risk: Moderate
Versions: 1.0.3 and all previous releases
Vunerability type: SQL Injection
Report Date: 2010-May-28
Fixed Date: 2010-May-28

Description
Issue reported as HTB22412. Attacker could potentially compromise MODx Evolution via an unsanitized variable on the /manager/index.php.

No actual destructive exploit has yet been created or proven. The proof of concept offered on the htbridge.ch site, and variants, can only cause a SQL error to be displayed.

Affected Releases
All MODx 0.9.x/Evolution releases prior to and including MODx Evolution 1.0.3 are affected.

Solution
Upgrade to MODx Evolution 1.0.4 or later: http://modxcms.com/download.html#ga

Evolution 1.0.4 Out Now

2010-06-08T06:53:31+09:00

The MODx Team is pleased to announce our latest version of our classic codebase. 1.0.4 is mainly a bugfix and security release. A security fix closes a potential vector that could lead to compromises with prior MODx releases. As usual the MODx team recommends upgrading your MODx installs.

Some highlights:

Almost 50 updates including enhancements, bugfixes and the security fixes.
Updated Add-ons and languages throughout
Preview now uses friendly URLs if they are enabled.
Added Duplicate button to Resource edit page.

Download: http://modxcms.com/download/#ga
Discuss: http://modxcms.com/forums/index.php/board,391.0.html
Complete Changelog: http://svn.modxcms.com/jira/secure/ReleaseNote.jspa?projectId=10001&styleName=Html&version=10191
Security Announcement: http://modxcms.com/forums/index.php/topic,50207.0.html

MODx Revolution 2.0 RC-2 Released

2010-05-28T07:15:45+09:00

MODx Revolution 2.0 RC-2 Released!

The MODx Team would like you to know that MODx Revolution 2.0 RC-2 is out and ready for download.

There are 2 versions available:
Traditional (modx-2.0.0-rc-2.zip) - For regular users and users who don't have root/sudo access to their machine.
Advanced (modx-2.0.0-rc-2-advanced.zip) - For those who want a smaller download and compressed install and have root/sudo access to their machine.

Note: Revolution 2.0 (since Beta-5) requires PHP 5.1.1 and above.

What's new in Revolution 2.0.0 RC-2? (Read the full announcement)

Vastly improved and more detailed PDO checks in setup
Lots of speed and performance optimizations for manager UI, faster response times, and update to ExtJS 3.2.1
Elements can now be restricted by Access Control Lists on their Categories
Lexicons refactored; now file-based a...

Re: Evo 1.0.3 released ... No foolin'!

2010-04-02T12:15:02+09:00

Also note, some non-English Tiny MCE users may experience issues that will be resolved in later updates. For more information, please see the following topic for workarounds:

http://modxcms.com/forums/index.php/topic,47506.msg280192.html#msg280192

Security updates in MODx Evolution 1.0.3. You really should upgrade.

2010-04-02T12:11:06+09:00

The MODx Evolution 1.0.3 release addresses a number of reported security vulnerabilities with previous MODx Evolution 1.0.2 and earlier releases:

XSS possibilities with the SearchHighlight plugin (used by AjaxSearch) as reported in JVN#19774883 and JVN#46669729
Unwanted information disclosure about the site structure in the TinyMCE plugin
SQL Injection via WebLogin

We strongly recommend that anyone running previous versions of MODx Evolution (including 0.9.x releases) consider Evolution 1.0.3 a mandatory upgrade.

Ddownload MODx Evolution 1.0.3: http://modxcms.com/download/

Details of other improvements introduced in the 1.0.3 release can be found here: http://modxcms.com/forums/index.php/topic,47756.0.html

MODx CMS Japan 日本公式フォーラム (Official Forums)

2009-08-20T19:59:31+09:00

2009年9月から、MODx CMS Japan 日本公式フォーラムがスタートします！
(MODx CMS Japan official forum starts in September 2009.)

日本公式フォーラムに関する事前アナウンス(Announce)
http://modxcms.com/forums/index.php/topic,38596.0.html

===== MODx CMS Japan Official Forum =====

トップページ(Top Page) http://modxcms-jp.com/bb/
RSSフィード(RSS Feed) http://modxcms-jp.com/bb/rss.php?mode=posts

===== Category / SubForum =====

コミュニティ(Community)　http://modxcms-jp.com/bb/viewforum.php?f=18

セキュリティ情報(Security)　http://modxcms-jp.com/bb/viewforum.php?f=33
お知らせ(Information)　http://modxcms-jp.com/bb/viewforum.php?f=19
雑談(Off-topic)　[url=http://modxcms...

Security Fix for MODx Revolution 2.0-beta2 (and beta1)

2009-07-24T04:28:34+09:00

There has been a reported security vulnerability for MODx Revolution 2.0 beta1 and beta2.

We have committed a temporary fix until we hit the root of the issue, which is a problem with the modAccessibleObject and Context Policy loading.

SVN users, to fix this vulnerability, please update to r5505.

Non-SVN users, please make the changes as illustrated here:
http://svn.modxcms.com/crucible/changelog/modx/?cs=5501

and here:
http://svn.modxcms.com/crucible/changelog/modx/?cs=5505

Again, MODx recommends that you not use any beta products on shared or public servers without acknowledging the risk of potential undiscovered vulnerabilities. If you do choose to use such products, MODx recommends using a restricted username and/or password that is limited only to the MODx install. This also applies to file and user permissions.

We apologize for any inconvience this might have caused.

Re: Reflect RFI Exploit

2008-11-25T07:46:49+09:00

The permanent solution is in fact to simply rename the reference snippet with a .txt extension or to remove them completely. They were included as a reference, and they have been removed from the current download distribution on the site.

Reflect RFI Exploit

2008-11-25T07:16:42+09:00

It has come to our attention that it's possible to compromise some sites with specific server configurations via the reference copy of the Reflect snippet installed by default at /assets/snippets/reflect/snippet.reflect.php

A temporary solution is to simply rename this file with a .txt extension in your website. We are working on confirming a permanent solution and will update this post as soon as possible with more details.

For more information see the Secunia advisory and the discussion on our forums.

0.9.6.2 HTTP_REFERER Checks and Potential CSRF Vulnerabilities

2008-09-17T02:45:11+09:00

Some potential CSRF (Cross Site Request Forgery) vulnerabilities that require a valid manager session were identified in MODx 0.9.6.1-p2 and earlier versions and as a result, a new security feature to help protect your content managers from these types of attacks has been introduced with the release of 0.9.6.2.

CSRF Potential
Details of the kinds of attacks these vulnerabilities make possible are available in the associated bug report: #MODX-206.

HTTP_REFERER Solution
To prevent a majority of these kinds of attacks, there is now a new option that can be manually enabled in the manager configuration entitled Validate HTTP_REFERER headers? (under Tools --> Configuration :: Site tab, at the very bottom). This new option activates a check to ensure requests are originating from the same domain as the site, and prevents access to critical manager actions by...

Re: Acknowledgment: [DSECRG-08-013] Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulner

2008-02-13T23:49:25+09:00

Based on further analysis there is one legitimate bug contained in the distribution that while we've not been able to find security vectors using the flaw, it is not inconceivable that a determined hacker could not do so. This lies with the search highlight plugin. To fix this, patch two lines starting near line 52 to as follows:

Code:

  $searched = strip_tags(urldecode($_REQUEST['searched'])); 
  $highlight = strip_tags(urldecode($_REQUEST['highlight']));

Alternately, you can simply disable the search highlight plugin entirely by logging into the manager and going to Resources > Manage Resources > Plugin tab. From there, click the Search Highlight plugin name in the list of names, then check the first checkbox near the top that says "Plugin Disabled" (or your relevant local language string).

The currently available build on the download page contains this patch. If you're running an existing site, the best option is to patch or disable the Search Highlight plugin per the above.

Acknowledgment: [DSECRG-08-013] Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulner

2008-02-09T01:27:53+09:00

The MODx team believes the following security notice is sophistical – plausible but misleading (some would refer to it as "FUD"). We are continuing further investigations.

[DSECRG-08-013] Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulnerabilities

To reproduce the security compromises listed above, a malicious hacker would first have to hijack a valid manager session, then convince someone to visit a link to the site with that session and their XSS content inserted. This could be of concern however in the instance when you have a large Manager User base of untrusted individuals. In either case, there are larger security implications.

For more information and discussion, please visit this thread in these forums. We do not have every server or browser combination under which we can test the above listed compromises, so we would tremendously appreciate assistance/confirmation . If you are able t...

Re: IMPORTANT: Two new vulnerabilities in 0.9.6.1

2008-01-23T04:21:09+09:00

admin note: clarified for those with feed readers who don't see the entire thread in context

The current download available at the MODx download site was replaced by a version containing the patches for 0961 in this thread. 0962 will also contain these patches as Jason mentioned. If you've not applied the security patch already (shame on you!), you can either grab it via the instructions listed above or just download the complete installer from the downloads page and install via the normal upgrade mode. If you're not running this latest patched version, now would be a very good time to upgrade.

Re: IMPORTANT: Two new vulnerabilities in 0.9.6.1

2008-01-03T04:52:42+09:00

FYI, trunk has been patched with solutions to both of these security fixes and I will be in the process of notifying all of the reporting services so they publish this information; see the original post for updated information.