Hi, I've noticed by looking at the changelog the following improvements in security:
Security fixes
Prevent a stored XSS vulnerability in admin area.
Prevent CSRF vulnerability in various admin pages.
Prevent XSS vulnerability in pageViewMembers.php.
Fix CSRF token bug in pageTransferOwnership.php.
Prevent possible brute force guess of admin username.
Prevent reflected XSS attack via FirstRecord parameter.
Fix user enumeration attack for forgotten password page (this is a minor security issue that allows a malicious attacker to guess list of users through a brute force attack).
Refactor initSession(), and limit cookie path to app uri rather than to entire domain to prevent session collisions when multiple AppGini apps are installed to same domain.
My question: is there a way to manually apply those fixes to an app generated on version 5.81?
how to apply security fixes without updating to 5.90
- D Oliveira
- AppGini Super Hero
- Posts: 347
- Joined: 2018-03-04 09:30
- Location: David
Re: how to apply security fixes without updating to 5.90
Hi D Oliveira,
I would think you could generate your app once with 5.8x and again with 5.9 and compare files.
You would still need 5.9 once and - I am not so sure, but the generated code from AG with the files do have some copyright. If you buy 5.9 you are granted the license to distribute the files, but i would suppose this is not the case if you have not bought 5.9 yet. Following this train of thought, I would think using files from 5.9 in your 5.8x distribution - without having bought 5.9 you are breaking the license.
If you have 5.9 and 5.8x I would suppose the comparison is following license restrictions and you would/should be able to copy new files from 5.9 to your 5.8x distribution.
I would also assume, that the files that have been strengthened are base files which do not change in every App-regeneration, but stay as they are.
If you have 5.8x and 5.9 - maybe give this approach a try and report how/if it works.
Olaf
I would think you could generate your app once with 5.8x and again with 5.9 and compare files.
You would still need 5.9 once and - I am not so sure, but the generated code from AG with the files do have some copyright. If you buy 5.9 you are granted the license to distribute the files, but i would suppose this is not the case if you have not bought 5.9 yet. Following this train of thought, I would think using files from 5.9 in your 5.8x distribution - without having bought 5.9 you are breaking the license.
If you have 5.9 and 5.8x I would suppose the comparison is following license restrictions and you would/should be able to copy new files from 5.9 to your 5.8x distribution.
I would also assume, that the files that have been strengthened are base files which do not change in every App-regeneration, but stay as they are.
If you have 5.8x and 5.9 - maybe give this approach a try and report how/if it works.
Olaf
Some postings I was involved, you might find useful:
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
- D Oliveira
- AppGini Super Hero
- Posts: 347
- Joined: 2018-03-04 09:30
- Location: David
Re: how to apply security fixes without updating to 5.90
Hi, thanks for engaging, I have no problem getting the license, my main issue is that some of my apps have core files such as datalist, incCommon, admin files with custom code and therefore I could not replace them with new 5.9 generated code, it has to stay in that version but I would like to manually implement the security improvements if thats possible, I wouldnt mind paying for an "add-on" that would just perform the security improvements on older versions or just have some alternative to keep my older apps as safe as possible, hoping to hear from Appgini team, thank you all
Re: how to apply security fixes without updating to 5.90
Hi,
well, if you have 5.9, just give it my suggestion a try. You could MD5 all files, TotalCommander (ghisler.com) also offers a very simple way to compare multiple files.
Concerning code adjustments I am skeptical myself about upgrading an existing generated application as I am using several adjustments myself. I try to use include statements where possible so that I can "outsource" my own code with a single line of code. Maybe that could help you as well?
Olaf
well, if you have 5.9, just give it my suggestion a try. You could MD5 all files, TotalCommander (ghisler.com) also offers a very simple way to compare multiple files.
Concerning code adjustments I am skeptical myself about upgrading an existing generated application as I am using several adjustments myself. I try to use include statements where possible so that I can "outsource" my own code with a single line of code. Maybe that could help you as well?
Olaf
Some postings I was involved, you might find useful:
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
- D Oliveira
- AppGini Super Hero
- Posts: 347
- Joined: 2018-03-04 09:30
- Location: David
Re: how to apply security fixes without updating to 5.90
that is definitely good advice, even though Im afraid doing that process for every app that I have developed in the past year would be a time consuming task to first compare each custom file from each app with the new generated version of that app in 5.9 it'd be easier to know how to apply the new security improvements in a general sense and then perform the work rather than starting a lengthy analysis process, because for each app I have modified distinct core appgini files, so an individual analysis would be required for every app, lets hope someone can clarify how to approach that in a simpler way, I do appreciate your help thank you by the way, the brute force attack can be easily solved with recaptcha and enforcing strong passwords, the rest of the list remains the challenge