Project

General

Profile

broken theme

Added by Lars Fischer about 13 years ago

Hello,

my Redmine installation (1.0.5) and this official Redmine website are rendered to me without any theme. All I see is a "naked" textual site.

My installation used a different theme. After switching to the default theme, now my Redmine is rendered correct.

How about the official Redmine site? Is it a problem of me or see other visitors the same effect?

Best regards,
Lars


Replies (5)

RE: broken theme - Added by Felix Schäfer about 13 years ago

The theme is currently rendered correctly for me.

RE: broken theme - Added by Lars Fischer about 13 years ago

This is strange...

I updated to Redmine 1.1.0 and I still can not use different themes. Only the default theme is rendered correctly. Using the alternate theme, I get a completely unstyled response.

I cleared the cache, used a different browser... "redmine.org" is also unstyled for me.

At the moment I'm at work and I will have to test it from a different location (at home).

Regards,
Lars

RE: broken theme - Added by Lars Fischer about 13 years ago

Hello,

I tested it at home: everything is fine. So I contacted our it-services at the office and they told me, that our security scanners had detected an security problem on the site. This is why the css files are blocked.

I have no exact description, but these points I can tell:

Attack Name: Web Client Protection Violation

Attack Information: Internet Explorer CSS recursive import memory corruption

Threat Description:        
Microsoft Internet Explorer is the most widely used Internet browser. 
A memory corruption vulnerability has been reported in the way Microsoft Internet Explorer parses HTML pages that contain recursive CSS import. 
The vulnerability is due to the creation of uninitialized memory during a CSS function within Internet Explorer. To trigger this issue, an attacker may create a malicious Web page that will cause Internet Explorer to exit unexpectedly. 
Successful exploitation of this vulnerability will crash the browser, and may allow execution of arbitrary code on the vulnerable system.      

http://www.checkpoint.com/defense/advisories/public/2010/cpai-23-Dec.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3971

I don't know if this is a false positive or if the Redmine theme uses some possibly critical things. Should I file a Ticket for it?

Regards,
Lars

RE: broken theme - Added by Felix Schäfer about 13 years ago

I believe what the scanner has detected is the use of import statements from inside CSS files, so that a css file can require another. Unfortunately this is the way redmine themes work so all can use common elements, and I don't think it will be easy to work around that, if possible at all with the current design.

Anyway, to get back to your problem: If you can install patches and are willing to maintain it on your system, I think I could walk you through installing a css minifier rails plugin that could combine all css files redmine uses into one, effectively nullifying the need for the incriminating import call and probably making them safe as per your firewall's guidelines, that would solve the problem only for your install. To make redmine.org css stylesheets accessible to you would probably require your IT whitelisting redmine.org.

RE: broken theme - Added by Lars Fischer about 13 years ago

Hello Felix,

I use Redmine for private projects. So there is no need for me to have acces from my employers office and no need to change my installation or some Redmine code.

I just wanted to inform someone to take care, that there is no bug or security issue with Redmine.

Regards,
Lars

    (1-5/5)