Page 1 of 1

Release 1.1.12 and Bugs

PostPosted: Thu Jun 22, 2006 11:31 am
by mflorell
There have been some minor bugs in the 1.1.12 release which have caused a few revisions to be released on the project site:

1.1.12-1 - admin.php issue fix
1.1.12-2 - install script and documentation fix
1.1.12-3 - two admin.php issues and vdc_db_query.php bug fix

You can download the fixed scripts here:
http://astguiclient.sourceforge.net/code_updates/

Or the 1.1.12-3 release is available here:
http://sourceforge.net/project/showfile ... p_id=95133

PostPosted: Fri Jun 23, 2006 1:30 pm
by AIRAM
I just upgraded to version 1.1.12-2 and I'm having problems with special characters from the admin.php. I can't use them in passwords and/or user names. Is this related to the bug or it's fix.

We created a php form to input data to MySQL and that is accepting special characters just fine.

Previously we were using astguiclient_snapshot_2006-06-16.zip. Is returning to that just a matter of extracting and running the server file install to test if the problem is the new php's.

PostPosted: Fri Jun 23, 2006 1:40 pm
by mflorell
Yes it is related to the security fixes for SQL injection and code insertion. Removing all special characters from the user and password pretty much eliminates an attack from a non-user. All of the scripts now filter user/pass for any non [0-9a-zA-Z] characters.

Which characters were you using in your user/pass?

you can roll back to the snapshot by just overwriting the web folders, but that code is vulnerable to attack so I would not recommend using it.

There have also been a couple more small bugs discovered so I will be doing another release this afternoon.

PostPosted: Fri Jun 23, 2006 2:09 pm
by AIRAM
The usual #,@ not big deal though.

We will just live with it; I just wanted to make sure it was some intentional change on Vicidial and not something we broke since we have been experimenting with different configurations on MySQL to try to solve ocational errors I've mentioned on another post here.

password limitation

PostPosted: Fri Aug 04, 2006 5:38 pm
by kchung
While I understand that there is a need to to prevent sql injection, not allowing more secure password is just as bad. Please consider other forms of preventing sql injection attacks.

Here is a [url="http://it.slashdot.org/article.pl?sid=06/07/19/1213201"]recent discussion of SQL injection attacks[/url] on /. This discussion offers many solution to attacks without limiting our content.


Here's an insightful article on the subject:
http://it.slashdot.org/comments.pl?sid= ... d=15742682

PostPosted: Fri Aug 04, 2006 6:03 pm
by mflorell
Which characters should be allowed in passwords?

Some of the considerations were not just for SQL injection, but also with cross-site scripting and Javascript injection which are often easier to do than SQL injection with more varied characters.