#1 April 14, 2015 8:48pm

timbuckingham
Administrator
From: Baltimore, MD
Registered: April 2, 2012
Posts: 978

BigTree 4.0.11 / 4.1.7 / 4.2.1 Security Update

The latest version of each BigTree branch contains important security updates. The following security vulnerabilities have been patched in these releases but require admin access to exploit:

SQL injection attack vectors exist at:

  • /admin/ajax/auto-modules/views/approve/

  • /admin/ajax/auto-modules/views/archive/

  • /admin/ajax/auto-modules/views/delete/

  • /admin/ajax/auto-modules/views/feature/

  • /admin/ajax/auto-modules/views/searchable-page/

  • /admin/ajax/developer/load-table-columns/

  • /admin/ajax/users/get-page/

  • /admin/ajax/users/get-emulate-page/

Cross Site Scripting attack vectors exist at:

  • /admin/developer/templates/edit/

  • /admin/developer/modules/edit/

Session and login cookies are now use the HTTPOnly flag when being set which should make them less susceptible to future Cross Site Scripting attacks.

BigTree 4.2.1 also employs a new, more secure login cookie system. When a user choose "Remember Me" upon logging in, the hashed password is no longer stored as a cookie for authenticating logins. Now a random unique session ID and a random unique chain ID are created and stored as an authentication cookie. Each time a user uses this authentication cookie to regenerate a administrative session the chain ID is maintained and a new unique session ID is created. In the event that your session and chain IDs are compromised, authenticating with an old session ID and current chain ID will wipe all authentication sessions, deauthenticating the fraudulent user. This approach is outlined in more detail at Barray Jaspan's blog.

Offline

#2 April 27, 2015 8:04am

katyemunger
Member
From: Vermont
Registered: February 20, 2015
Posts: 8
Website

Re: BigTree 4.0.11 / 4.1.7 / 4.2.1 Security Update

Hi!

Thank you for this updating and for implementing it for people on your servers. However, since this update, my teams daily digests are emailed to us blank. Is there a way to fix this? Do we need to do something?

Thanks!
Katye

Offline

#3 April 27, 2015 10:51am

timbuckingham
Administrator
From: Baltimore, MD
Registered: April 2, 2012
Posts: 978

Re: BigTree 4.0.11 / 4.1.7 / 4.2.1 Security Update

I'll follow up via email to see if we can diagnose this issue.

Offline

Board footer

Powered by FluxBB

The Discussion Forum is not available on displays of this size.