Hi everyone, this is a bugfix release, that adresses a blocker bug that occured in some translations. It also fixes the problem introduced with the CSRF check that was implemented with 2.7 and some important security fixes, so you are really asked to upgrade as soon as possible!
Download & Upgrade
To upgrade, just download the upgrade ZIP, extract it and upload the two files. Open install.php in your browser and let the script extract Bigace. Afterwards delete the previously uploaded files. Your system should now run 2.7.2.
If the scipt can't extract the files, extract them manually on your computer and upload them via FTP.
- Fixed encoding problem in language chooser (menu admion and menu creation)
- Fixed "generic form" which is used by extensions like FAQ
- Let MySQL decide about full text indexes word-length (changing min word length does not require to resave content any longer)
- Use min word length setting for front end in default design Blix
- A new CSRF check was implemented that is way better than the last approach (see below)
- Fixed multiple XSS problems (see below)
I implemented a new check, that is likely to work for every one. For the interested people: A security token (a quite long and random string) is created and stored in your session, which has a TTL (time-to-live) of 30 minutes after your last request. This token is added to forms and checked before data will be saved. So, an attacker had to guess a more than 32 long and random character string and that within the last 30 minutes after you left the administration.... Now, decide for yourself how secure this is. If a developer has an even better solution, please contact me in the forum or here in the comments!
Just one more thing: Its always a good idea to logout, after you finished the work on ANY website. Almost every application (including Gmail and Facebook) had problems like this. Protect yourself, the web is potentially unsafe...
XSS vulnerabilities occur by not sanitizing the input values properly. It was possible to save HTML in fields that were not meant to hold HTM. You could (for example) create a configuration with the name:
After you saved an alert came up. This problem was fixed in multiple places.
The vulnerabilities were found and reported by Bkis (BACH KHOA INTERNETWORK SECURITY CENTER, HANOI UNIVERSITY OF TECHNOLOGY), a Vietnamese leading Center in researching, deploying network security software and solutions. Check out their security blog as well.
I was contacted three weeks ago by Bui Quang Minh and they gave me the time to create patches and test them, before releasing these informations.
Please upgrade your system soon and do not forget to create a backup first.
We have to test these things better in the future. Please help Bigace by testing it in the nightly build demo (login with admin/admin). If you find more problems like this, report them here, in the forum or va Email through my homepage. Every help is appreciated!
My last words are dedicated to the professional security teams out-there: Thanks for your great work and your co-operation. I am very pleased, that once again a security team tested Bigace and was responsible enough to contact me up-front, before releasing exploits to a wider audience.
... and hey, did you know that Bigace is even known in Hanoi?! Great, isn't it :D