how to apply security fixes without updating to 5.90

If you're a new user of AppGini, feel free to ask general usage questions, or look for answers here.
Post Reply
User avatar
D Oliveira
AppGini Super Hero
AppGini Super Hero
Posts: 347
Joined: 2018-03-04 09:30
Location: David

how to apply security fixes without updating to 5.90

Post by D Oliveira » 2020-10-28 06:25

Hi, I've noticed by looking at the changelog the following improvements in security:

Security fixes
Prevent a stored XSS vulnerability in admin area.
Prevent CSRF vulnerability in various admin pages.
Prevent XSS vulnerability in pageViewMembers.php.
Fix CSRF token bug in pageTransferOwnership.php.
Prevent possible brute force guess of admin username.
Prevent reflected XSS attack via FirstRecord parameter.
Fix user enumeration attack for forgotten password page (this is a minor security issue that allows a malicious attacker to guess list of users through a brute force attack).
Refactor initSession(), and limit cookie path to app uri rather than to entire domain to prevent session collisions when multiple AppGini apps are installed to same domain.


My question: is there a way to manually apply those fixes to an app generated on version 5.81?

User avatar
onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 1156
Joined: 2019-05-21 22:42
Location: Germany
Contact:

Re: how to apply security fixes without updating to 5.90

Post by onoehring » 2020-10-28 11:45

Hi D Oliveira,

I would think you could generate your app once with 5.8x and again with 5.9 and compare files.
You would still need 5.9 once and - I am not so sure, but the generated code from AG with the files do have some copyright. If you buy 5.9 you are granted the license to distribute the files, but i would suppose this is not the case if you have not bought 5.9 yet. Following this train of thought, I would think using files from 5.9 in your 5.8x distribution - without having bought 5.9 you are breaking the license.
If you have 5.9 and 5.8x I would suppose the comparison is following license restrictions and you would/should be able to copy new files from 5.9 to your 5.8x distribution.
I would also assume, that the files that have been strengthened are base files which do not change in every App-regeneration, but stay as they are.

If you have 5.8x and 5.9 - maybe give this approach a try and report how/if it works.

Olaf

User avatar
D Oliveira
AppGini Super Hero
AppGini Super Hero
Posts: 347
Joined: 2018-03-04 09:30
Location: David

Re: how to apply security fixes without updating to 5.90

Post by D Oliveira » 2020-10-28 16:19

Hi, thanks for engaging, I have no problem getting the license, my main issue is that some of my apps have core files such as datalist, incCommon, admin files with custom code and therefore I could not replace them with new 5.9 generated code, it has to stay in that version but I would like to manually implement the security improvements if thats possible, I wouldnt mind paying for an "add-on" that would just perform the security improvements on older versions or just have some alternative to keep my older apps as safe as possible, hoping to hear from Appgini team, thank you all

User avatar
onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 1156
Joined: 2019-05-21 22:42
Location: Germany
Contact:

Re: how to apply security fixes without updating to 5.90

Post by onoehring » 2020-10-28 16:29

Hi,

well, if you have 5.9, just give it my suggestion a try. You could MD5 all files, TotalCommander (ghisler.com) also offers a very simple way to compare multiple files.
Concerning code adjustments I am skeptical myself about upgrading an existing generated application as I am using several adjustments myself. I try to use include statements where possible so that I can "outsource" my own code with a single line of code. Maybe that could help you as well?

Olaf

User avatar
D Oliveira
AppGini Super Hero
AppGini Super Hero
Posts: 347
Joined: 2018-03-04 09:30
Location: David

Re: how to apply security fixes without updating to 5.90

Post by D Oliveira » 2020-10-28 16:41

that is definitely good advice, even though Im afraid doing that process for every app that I have developed in the past year would be a time consuming task to first compare each custom file from each app with the new generated version of that app in 5.9 :? it'd be easier to know how to apply the new security improvements in a general sense and then perform the work rather than starting a lengthy analysis process, because for each app I have modified distinct core appgini files, so an individual analysis would be required for every app, lets hope someone can clarify how to approach that in a simpler way, I do appreciate your help thank you :) by the way, the brute force attack can be easily solved with recaptcha and enforcing strong passwords, the rest of the list remains the challenge

Post Reply