DaDaBIK logo DaDaBIK®

Blog

Security Risk, second patch. PLEASE UPGRADE!

Posted by Eugenio on 15 Nov 2010

Hi all,
a new beta version (DaDaBIK 4.3 beta3) has been released in order to solve the second problem I post about a few days ago, the one related to the use of the html content type. First of all it is better to highlight that the problem could arise not only with the html content type but also with the rich_editor field type (together with another content type than html); I think the rich_editor is usually used together with the html content type (it should be) but maybe someone used this in conjunction with other content types.

After having looked at some HTML sanitization libraries, I finally choosed htmLawed. It seems to me that at the moment htmlpurifier is the most effective one in recognizing malicious code, but it appears to me too complex, heavy and it also doesn't support PHP 4. htmLawed seems a good compromise.

The library is now used to filter the content (html content type and rich_editor field type) before displaying it. You must however keep in mind that, as the documentation states, there are some minor cases in which htmLawed can fail.
Since some people asked me about previous releases, as I already told in a comment, the security issues highlighted during the last days also affect the older releases of DaDaBIK and not just the last one.

See the changelog for other details. The documentation has also been updated; if you have read the on-line documentation this morning there was a mistake about the version was related to: the documentation content was the new one (related to 4.3 beta3, already patched with htmLawed) but it stated to be about the 4.3 beta2 (which is not patched with htmLawed) so be sure to read the right one (the on-line mistake has now been corrected) in order to avoid misunderstandings about the security problems that affect your version.



Ciao,

Security Risk, PLEASE UPGRADE!

Posted by Eugenio on 11 Nov 2010

Hi all,
last night I discovered an important security hole in DaDaBIK so I decided to immediately release a version 4.3 beta2 with the only purpose of partially fixing it. All the other bug fixes and new features are waiting for the version 4.3 rc1, avaiable in 1 or 2 weeks as expected.

Here is the problem: if in a DaDaBIK application the insert or edit feature was enabled (at least for one table) and a select_single field type was used (at least once, even in another table), a malicious user who had access to the application could in many cases insert in a listbox some arbitrary javascript code, which was then executed by other users just by using the application.
Among other problems, this could lead to XSS attack (http://en.wikipedia.org/wiki/Cross-site_scripting), which in turn could allow an unauthorized access to the application (http://en.wikipedia.org/wiki/Session_hijacking) and, if the Internet browser of the user contained security holes, even the execution of arbitrary code in the client machine.

The new 4.3 beta2 solves this problem. Even the DaDaBIK demo was affected and exploited by a malicious user; now it has been patched.

The problems described above can however occur even when the insert or edit feature was enabled (at least for one table) and the HTML content type is used; at the moment there isn't a patch for this second scenario, so the HTML content type should be used very carefully, as highlighted in the upgraded documentation. In the next few days, I would like to use something like http://htmlpurifier.org to allow the users to insert html text without security problems.

The 4.3 beta2 also fixes another minor GUI bug, as you can read from the changelog.

Ciao,

Is DaDaBIK still used with non-MySQL DBMSs?

Posted by Eugenio on 9 Nov 2010

Starting with the last 4.3 beta, the users can register the installation of DaDaBIK; I receive information about DBMS type and DaDaBIK version.
97 installations have been registered so far and these are the statistics about the DBMSs usage:
MySQL: 95 installations
PostgreSQL: 2 installations
Oracle: 0 installations
MS SQL Server: 0 installations

97 is (statistically) still a small number but I'm wondering if DaDaBIK is still used with non-MySQL DBMSs....maybe the tipical Oracle or MS SQL Server user doesn't work much with PHP but I think that it's not true for a PostgreSQL user.

I decided to dedicate some time in future to test DaDaBIK with other DBMSs (SQLite and DB2) but if everybody's using MySQL I don't know if it's still a good idea.

New admin section, new release soon

Posted by Eugenio on 28 Oct 2010

Hi,
I have finished the redesign of the admin section: new look, some improvements in the interface, in-line help for the interface configurator.

This will be released soon with DaDaBIK 4.3 release candidate 1, together with an improved documentation and a new enterprise-oriented demo (an invoicing system) that I'm developing.

Stay tuned!

Demo cleaned-up and downloadable

Posted by Eugenio on 22 Oct 2010

Hi,
I've cleaned and improved a bit the demo section in order to show easily some DaDaBIK features.

I've also made a downloadable version of the demo. This can be a good learning tool, looking at the configuration/settings you can easy learn by example how to get the same result. Instructions on how to install the demo included in the downloaded file. Available just for MySQL.

Ciao,

Page 17 of 27
<  11  12  13  14  15  16  17  18  19  20  >  

Top