Any and all non-support discussions
Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
by mflorell » Thu Jun 22, 2006 11:31 am
There have been some minor bugs in the 1.1.12 release which have caused a few revisions to be released on the project site:
1.1.12-1 - admin.php issue fix
1.1.12-2 - install script and documentation fix
1.1.12-3 - two admin.php issues and vdc_db_query.php bug fix
You can download the fixed scripts here:
http://astguiclient.sourceforge.net/code_updates/
Or the 1.1.12-3 release is available here:
http://sourceforge.net/project/showfile ... p_id=95133
Last edited by
mflorell on Fri Sep 15, 2006 2:18 pm, edited 4 times in total.
-
mflorell
- Site Admin
-
- Posts: 18387
- Joined: Wed Jun 07, 2006 2:45 pm
- Location: Florida
-
by AIRAM » Fri Jun 23, 2006 1:30 pm
I just upgraded to version 1.1.12-2 and I'm having problems with special characters from the admin.php. I can't use them in passwords and/or user names. Is this related to the bug or it's fix.
We created a php form to input data to MySQL and that is accepting special characters just fine.
Previously we were using astguiclient_snapshot_2006-06-16.zip. Is returning to that just a matter of extracting and running the server file install to test if the problem is the new php's.
-
AIRAM
-
- Posts: 29
- Joined: Mon Jun 12, 2006 3:36 pm
by mflorell » Fri Jun 23, 2006 1:40 pm
Yes it is related to the security fixes for SQL injection and code insertion. Removing all special characters from the user and password pretty much eliminates an attack from a non-user. All of the scripts now filter user/pass for any non [0-9a-zA-Z] characters.
Which characters were you using in your user/pass?
you can roll back to the snapshot by just overwriting the web folders, but that code is vulnerable to attack so I would not recommend using it.
There have also been a couple more small bugs discovered so I will be doing another release this afternoon.
-
mflorell
- Site Admin
-
- Posts: 18387
- Joined: Wed Jun 07, 2006 2:45 pm
- Location: Florida
-
by AIRAM » Fri Jun 23, 2006 2:09 pm
The usual #,@ not big deal though.
We will just live with it; I just wanted to make sure it was some intentional change on Vicidial and not something we broke since we have been experimenting with different configurations on MySQL to try to solve ocational errors I've mentioned on another post here.
-
AIRAM
-
- Posts: 29
- Joined: Mon Jun 12, 2006 3:36 pm
by kchung » Fri Aug 04, 2006 5:38 pm
While I understand that there is a need to to prevent sql injection, not allowing more secure password is just as bad. Please consider other forms of preventing sql injection attacks.
Here is a [url="http://it.slashdot.org/article.pl?sid=06/07/19/1213201"]recent discussion of SQL injection attacks[/url] on /. This discussion offers many solution to attacks without limiting our content.
Here's an insightful article on the subject:
http://it.slashdot.org/comments.pl?sid= ... d=15742682
-
kchung
-
- Posts: 208
- Joined: Fri Aug 04, 2006 5:28 pm
by mflorell » Fri Aug 04, 2006 6:03 pm
Which characters should be allowed in passwords?
Some of the considerations were not just for SQL injection, but also with cross-site scripting and Javascript injection which are often easier to do than SQL injection with more varied characters.
-
mflorell
- Site Admin
-
- Posts: 18387
- Joined: Wed Jun 07, 2006 2:45 pm
- Location: Florida
-
Return to General Discussion
Who is online
Users browsing this forum: No registered users and 43 guests