Release 1.1.12 and Bugs

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Release 1.1.12 and Bugs

Postby mflorell » Thu Jun 22, 2006 11:31 am

There have been some minor bugs in the 1.1.12 release which have caused a few revisions to be released on the project site:

1.1.12-1 - admin.php issue fix
1.1.12-2 - install script and documentation fix
1.1.12-3 - two admin.php issues and vdc_db_query.php bug fix

You can download the fixed scripts here:
http://astguiclient.sourceforge.net/code_updates/

Or the 1.1.12-3 release is available here:
http://sourceforge.net/project/showfile ... p_id=95133
Last edited by mflorell on Fri Sep 15, 2006 2:18 pm, edited 4 times in total.
mflorell
Site Admin
 
Posts: 18335
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Postby AIRAM » Fri Jun 23, 2006 1:30 pm

I just upgraded to version 1.1.12-2 and I'm having problems with special characters from the admin.php. I can't use them in passwords and/or user names. Is this related to the bug or it's fix.

We created a php form to input data to MySQL and that is accepting special characters just fine.

Previously we were using astguiclient_snapshot_2006-06-16.zip. Is returning to that just a matter of extracting and running the server file install to test if the problem is the new php's.
AIRAM
 
Posts: 29
Joined: Mon Jun 12, 2006 3:36 pm

Postby mflorell » Fri Jun 23, 2006 1:40 pm

Yes it is related to the security fixes for SQL injection and code insertion. Removing all special characters from the user and password pretty much eliminates an attack from a non-user. All of the scripts now filter user/pass for any non [0-9a-zA-Z] characters.

Which characters were you using in your user/pass?

you can roll back to the snapshot by just overwriting the web folders, but that code is vulnerable to attack so I would not recommend using it.

There have also been a couple more small bugs discovered so I will be doing another release this afternoon.
mflorell
Site Admin
 
Posts: 18335
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Postby AIRAM » Fri Jun 23, 2006 2:09 pm

The usual #,@ not big deal though.

We will just live with it; I just wanted to make sure it was some intentional change on Vicidial and not something we broke since we have been experimenting with different configurations on MySQL to try to solve ocational errors I've mentioned on another post here.
AIRAM
 
Posts: 29
Joined: Mon Jun 12, 2006 3:36 pm

password limitation

Postby kchung » Fri Aug 04, 2006 5:38 pm

While I understand that there is a need to to prevent sql injection, not allowing more secure password is just as bad. Please consider other forms of preventing sql injection attacks.

Here is a [url="http://it.slashdot.org/article.pl?sid=06/07/19/1213201"]recent discussion of SQL injection attacks[/url] on /. This discussion offers many solution to attacks without limiting our content.


Here's an insightful article on the subject:
http://it.slashdot.org/comments.pl?sid= ... d=15742682
kchung
 
Posts: 208
Joined: Fri Aug 04, 2006 5:28 pm

Postby mflorell » Fri Aug 04, 2006 6:03 pm

Which characters should be allowed in passwords?

Some of the considerations were not just for SQL injection, but also with cross-site scripting and Javascript injection which are often easier to do than SQL injection with more varied characters.
mflorell
Site Admin
 
Posts: 18335
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 62 guests