Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2014-10-02 13:34:39

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,373

Textpattern 4.5.5 Cross Site Scripting

Textpattern 4.5.5 Cross Site Scripting

… the moral of the story is: lose the setup folder and/or upgrade to 4.5.7

Offline

#2 2014-10-02 14:09:47

michaelkpate
Moderator
From: Avon Park, FL
Registered: 2004-02-24
Posts: 1,379
Website GitHub Mastodon

Re: Textpattern 4.5.5 Cross Site Scripting

My general installation technique is …

1 Unzip the current copy of the textpattern archive on my desktop. If there is an existing one, I delete it first.

2 Fire up Filezilla and copy the folder to the server

3 Run the installer

4 When I get to the config.php step, I open up the config-dist.php and replace the contents

5 Then I rename that to config.php and copy it to the server

6 Log into the new install and go to the diagnostics

7 Fix the problems – which is always going to be delete the setup folder if nothing else

Leaving the setup folder has been recommended against since 2004.

Offline

#3 2014-10-02 15:20:43

kuopassa
Plugin Author
From: Porvoo, Finland
Registered: 2008-12-03
Posts: 238
Website

Re: Textpattern 4.5.5 Cross Site Scripting

I wonder why Textpattern doesn’t have some cleanup function after installing the software successfully. Should be quite easy to delete the setup folder after for example when admin logs in to Textpattern for the first time.

Offline

#4 2014-10-02 15:40:28

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,448
Website GitHub

Re: Textpattern 4.5.5 Cross Site Scripting

kuopassa wrote #284451:

I wonder why Textpattern doesn’t have some cleanup function after installing the software successfully.

One word: permissions. The same reason we don’t automatically create config.php on your behalf. Technically we could, but the amount of effort required to make sure it goes smoothly and doesn’t open up the file to reading is quite high for a low return. I’m guessing here, but maybe multi-site users run setup more than once too?

I do agree that it might be nice to offer a few options, perhaps at the end of the setup routine. It says words to the effect of “don’t forget to remove the setup folder” yet there’s nothing to prevent us at least trying to remove it right there, only informing the admin with that message if it can’t and urging them to do it manually. Or even some checkbox at some point during setup: “Try to remove setup folder on successful completion?”

The same sort of thing goes for creating config.php. We could probably try and if it fails for some reason, offer the “Please copy and paste…” message and “I did it” buttons.

If you get a bit of spare time, how about you try it and send us a patch? I’ll gladly consider anything that makes it easier for people to setup and run a secure Textpattern environment.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#5 2014-10-02 15:45:54

Dragondz
Moderator
From: Algérie
Registered: 2005-06-12
Posts: 1,538
Website GitHub Twitter

Offline

#6 2014-10-02 15:56:07

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,448
Website GitHub

Re: Textpattern 4.5.5 Cross Site Scripting

Dragondz wrote #284453:

Improve install…

Thanks Dragondz, I knew I’d seen a thread about it somewhere before. Both Robert and Jukka make valid points above and beyond mere permissions.

As you say, perhaps just creating config.php in isolation isn’t smart. But perhaps in tandem with a “remove setup folder” feature, it might have more merit.

We do have a few additional measures and checks in place now. For example, setup won’t continue if config.php exists. If we were to attempt automatic creation, the script should fail if it already exists: it should never overwrite the file if it’s already there and should abort gracefully with a ‘back’ link, like it does now. Try it. Start the process and on step 2, create config.php then try moving forward a step. It should (haha, hopefully) stop. Although maybe that check only occurs from Step 1->2, I can’t remember.

Either way, nothing’s insurmountable. With some cleverness I don’t see a reason why we can’t at least try creating config.php and finding a way to delete setup, while maintaining a secure setup procedure and easing the burden on the admin too. One simple way might be to add a link on the Diagnostics panel next to the ‘setup exists’ warning which attempts to remove it, letting you know if it can’t manage it.

Perhaps if you still have your patch around, you could modify it and harden it? Or share it so someone else might do so? I’d also like to hear from anyone who doesn’t want the setup folder removed automatically. That might determine if we just try automatically or offer an option. Or not bother.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#7 2014-10-03 11:13:48

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,260
GitHub

Re: Textpattern 4.5.5 Cross Site Scripting

Which was the revisiob that fixed the bug, Stef? I couldn’t see anything obvious – or was that the point?

Offline

Board footer

Powered by FluxBB