Home » Blogs » Keith Casey's blog
web2project Security Vulnerability
Tags: 
Date: 29 January, 2010 - 11:40

Late last month, I received some bad news about web2project...

It turns out that web2project was vulnerable to a handful of select Cross Site Scripting (XSS: definition) vulnerabilities. While the attack vector was pretty specific to being an already authenticated user, it had the potential to be a major problem in a poorly configured system.

On the positive side, I say "was" because within 10 days of being notified of the problem - and the same day the vulnerability became public - we had a patched release out the door and available to users. We've spent the past month since encouraging them to upgrade. Of course, we further benefit from the fact that although the vulnerability does affect us, we're not named in the report.

On the negative side, it did take us 10 days to close the vulnerability. The patch itself was available a few days earlier via Subversion but it might not have been enough. Further, we didn't explicitly notify our users of a need to upgrade but since it was rolled with a handful of other major fixes, it appears that many people have upgraded already. Once again, we benefit from the very specific attack vector.

To make this process easier and faster in the future, as of v1.3, we can already detect if upgrades have been uploaded but not applied. For an upcoming release, we're implementing a Drupal/WordPress-style means of notifying existing administrators thatan upgrade is available. In the meantime, watch this space or web2project's page on Sourceforge.


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

It is a little strange that

Submitted by Anonymous (not verified) on 30 January, 2010 - 02:57.

It is a little strange that nowadays such vulnerabilities could happen. :-/

Vulnerability

Submitted by Keith Casey on 30 January, 2010 - 09:37.

The thing is that that code is quite old. It was written in 2002-2004 long before most people had heard of these concepts. And since it works without problem, most developers have kept their attention elsewhere.

I'm just glad that we were able to get the fix out in time. So far we've been able to track and resolve these things before they were made public thanks to our great community.

Dashboard

Submitted by Jason (not verified) on 7 February, 2010 - 18:53.

Hello

I was wandering if there was any plans in the works to have a dashboard on Web2project. I have been looking at a product called Teamwork and the only thing nice about it is the first page you log into have different sections that are configurable (Block code). There is Company news, Department news, announcements and such.. There is a section for tasks that are due (summary). There is a current activities section that shows a summary of the current activity on the projects the user is associated with. I can think of a lot of things that could be summarized on a dashboard page.

hook_block

Submitted by Keith Casey on 8 February, 2010 - 10:36.

No, there's not a "plan" for a dashboard, but there are some ideas for it. I'm going to start laying the groundwork in v1.3 by adding a hook_block method onto the core classes. It's not going to do anything yet, but I envision it working similarly to how Drupal's blocks work.

Do you have some thoughts on how it should work?

Dash Board

Submitted by Anonymous (not verified) on 9 February, 2010 - 00:38.

I was thinking something that tied all the user info together i.e. Calendar, tasks, Company News, department news. Of course to have News, there would need to be a news module added.

Take a look at the script "Teamwork". It has a dashbord that is nice.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <br> <img> <p> <blockquote> <strike>
  • Lines and paragraphs break automatically.

More information about formatting options