DaDaBIK 4.5 pl1 is out - security enhancement
Dear users,
a new version of DaDaBIK, 4.5 patch level 1, is available. This is mainly a security enhancement/maintenance release and, as usual, all the users who purchased v. 4.5 beta or v. 4.5 can have v. 4.5 pl1 for free writing an e-mail to payments @ dadabik.org having "free upgrade" as subject and forwarding the invoice or the payment receipt.
This version introduce quite a big change about passwords storage security: DaDaBIK used to store users' passwords using the encryption provided by md5(); while this approach allows for a first level of security, because passwords are not stored in clear text into the database, it does not prevent some type of attacks which a malicious user can do after having obtained the encrypted passwords, such as attacks based on pre-hashed lists or rainbow tables.
For this reason, DaDaBIK, as other popular Web applications such as WordPress did, moves to phpass for managing the password storage. phpass is a framework which supports three password hashing methods (CRYPT_BLOWFISH, CRYPT_EXT_DES and an md5-based method) and chooses the best one according to what the current system can provide. All three employ salting, stretching, and variable iteration counts. This change makes the attacks much more difficult to be successfully executed.
All the user are strongly encouraged to upgrade.
For the complete list of the bugs fixed you can check the Change log.
In the next few weeks I will post about version 5.0, which is probably going to be released in Fall 2012 and will contain an impressive number of new features, including a highly granular permissions manager. Stay tuned!
Ciao,
E.