DaDaBIK logo DaDaBIK®

Blog

Security alert - please change your password

Posted by Eugenio on 7 Mar 2017

Dear all,
we have detected an intrusion in our server. The attackers were able to upload PHP files containing malicious code. We don't know when this exactly happened, the files, potentially, could also have been uploaded long time ago.

We don't know if the attackers actually accessed our database but potentially they could have done it, which means they could have accessed the data related to the forum users.

The forum platform we are using ( http://phorum.org ) stores passwords using md5, which means passwords are encrypted but, especially if the password is a common word or is made by using a simple variation / combination of common words, it could be decrypted using an attack based on rainbow tables (https://en.wikipedia.org/wiki/Rainbow_table).

Your forum password, therefore, could have been, potentially, decrypted and your forum account could have been accessed by someone else; please consider that, especially if you have shared sensible information using forum private messages.

I have personally re-written some of the Phorum code in order to implement a much secure approach: passwords are now encrypted with a SALT, which makes infeasible to use a rainbow table. In addition to other security measures we have put in place, our Website - the main URL is now dadabik.com, with dadabik.org redirecting to dadabik.com - has now HTTPS browsing by default.

Please login into the forum and change your password: this is the only way to ensure your password will be stored using the new system. If you login into the forum, the system will actually force you to change your password.
Please also consider to change your password for other services in which you have used the same password you used for the forum.

I am very sorry for the inconvenience and we have worked hard to avoid the same problem will occur in the future.

Best,
Eugenio Tacchini
DaDaBIK Founder

DaDaBIK 7.3.3 is out, vulnerabilities fixed

Posted by Eugenio on 26 Jul 2016

Dear all,
DaDaBIK 7.3.3 is out.

This is a maintenance release that fixes an important vulnerability discovered in the last days.

First of all, the vulnerability we fixed with DaDaBIK 7.3 (back in May) was even worst as we described: in addition to what we said, we must say that an authenticated user (or a user of a DaDaBIK application having authentication disabled) could execute arbitrary SQL queries (even INSERT/DELETE/UPDATE) on the DaDaBIK database (or on other databases if the database user used by DaDaBIK had the needed permissions).

The vulnerability WAS actually fixed with DaDaBIK 7.3. Another similar vulnerability, however, was found in the last days; this one fixed by this 7.3.3; again, the vulnerability allowed an attacker to execute arbitrary queries on the DaDaBIK database or on other databases (if the database user used by DaDaBIK had the needed permissions). In this case, if authentication was enabled, not only the attacker needed to be authenticated to exploit the vulnerability, but also he/she needed to belong to the administrators group.

This will probably be the last 7.x version; as you can see, we have focused on security in the last weeks while the upcoming version 8 will have many BIG new features.

Version 8 will be probably published in Autumn, for sure before the end of 2016 so If you buy DaDaBIK 7.3.3 PRO or ENTERPRISE now, you'll get DaDaBIK 8 as a free upgrade.

As usual, if you are in your free upgrade timeframe (1 year for DaDaBIK Enterprise, 6 months for DaDaBIK PRO), you can request your free copy from the upgrade page.

If you have a DaDaBIK ENTERPRISE license and you are out of your free upgrade timeframe, you can also get DaDaBIK 7.3.3 by purchasing a maintenance license (€65), which also provides you with an additional year of free upgrade (email support@dadabik.org to get the instructions).

One more thing: during the last months we have experienced a problem with our mailing system, due to a technical incompatibility between Sendy (the tool we use to send newsletters) and the CURL version used by our hosting provider. The problem is now fixed but the result is that some users (fortunately just a small fraction) haven't received one or more newsletters. Since some of them were related to important security-related issues, please check the blog page to get informed about our past communications. I also suggest you to follow DaDaBIK on Facebook and on Twitter, we always post there important news.

Best,

Eugenio Tacchini
DaDaBIK founder

DaDaBIK 7.3.2 is out

Posted by Eugenio on 6 Jul 2016

Dear all,
DaDaBIK 7.3.2 is out. This version fixes some bugs, most of them related to the "export to CSV" feature. Apart from the bugs fixed, the performances have also been improved: the performance gain depends on the number of columns but for a typical table, the CSV build process can be 7x faster than before. See the change log for all the details.

As usual, if you are in your free upgrade timeframe (1 year for DaDaBIK Enterprise, 6 months for DaDaBIK PRO), you can request your free copy from the upgrade page.

If you have a DaDaBIK ENTERPRISE license and you are out of your free upgrade timeframe, you can also get DaDaBIK 7.3.2 by purchasing a maintenance license (€65), which also provides you with an additional year of free upgrade (email support@dadabik.org to get the instructions).

The development of DaDaBIK 8 is going well, thanks to everybody who contributed to the DaDaBIK 8 Desiderata and to the post about the GUI.

I am trying to understand more and more how people use DaDaBIK, in order to provide a V.8 in line with your current and future needs; If you like, I ask you to spend two minutes of your time to write us (info@dadabik.org) and tell us something about the applications you have created with DaDaBIK (what they do, the kind of data you manage, the limitations you have found ... ). If you want to also add a URL, it would be even better.

Thanks!

Eugenio Tacchini
DaDaBIK founder




DaDaBIK 7.3.1 is out

Posted by Eugenio on 7 Jun 2016

Dear all,
DaDaBIK 7.3.1 is out. This version fixes a couple of bugs related to version 7.3 and clarify in the documentation a known bug. See the change log for all the details.

If you don't want to go through the upgrade process, you can also apply the patches explained here here and here. If you just apply the patches, your DaDaBIK installation will still appear to be a 7.3 but this doesn't affect how the application works.

I am working a lot on DaDaBIK 8, thanks to everybody who contributed to the DaDaBIK 8 Desiderata. Now most of the features that will be included in DaDaBIK 8 are clear in my mind. I still have some question marks about the graphic interface, therefore I wrote a post here to discuss the changes with you. It would be VERY useful if you comment the post writing what you think.

Have a great summer,

Eugenio Tacchini
DaDaBIK founder




The new DaDaBIK 7.3 is out, an important vulnerability fixed

Posted by Eugenio on 24 May 2016

Dear all,
DaDaBIK 7.3 is out. This release fixes some bugs and add a few new minor features.

In particular, it contains a fix for an important SQL injection vulnerability which allowed an authenticated attacker to see unauthorized data, even coming from a different database. It is very important for you to read all the details in the changelog. The fix for this vulnerability is also available as a separate patch here.


In the changelog you will also find the other bugs fixed and the new features, including the possibility to change the language on the fly and an improved installation procedure ( meaningful error messages, $site_url and $site_path not required anymore, ...).


As usual, if you are in your free upgrade timeframe (1 year for DaDaBIK Enterprise, 6 months for DaDaBIK PRO), you can request your free copy from the upgrade page. The upgrade process has been redesigned, you can now download the new new version by yourself, without waiting for an email.



If you have a DaDaBIK ENTERPRISE license and you are out of your free upgrade timeframe, you can also get DaDaBIK 7.3 by purchasing a maintenance license (€65), which also provides you with an additional year of free upgrade (email support@dadabik.org to get the instructions).



Finally, DaDaBIK 8 is still under heavy development and the DaDaBIK 8 Desiderata document is still available for you to vote for the next features to implement and propose additional features. Please take a few minutes to add your contribute.


Best,

Eugenio Tacchini
DaDaBIK founder




Page 10 of 28
1  2  3  4  5  6  7  8  9  10  >  >>  

Top