Skip to content

SECURITY PATCH AND OTHER TWEAKS! Severity: "Bad but not catastrophic"
Compare
Choose a tag to compare
@trongate trongate released this 02 Dec 15:24
· 558 commits to master since this release
v1.3.3018
19ae550

This update introduces a range of tweaks and corrections - two of which are important.

THE IMPORTANT TWEAKS THAT YOU NEED TO KNOW ABOUT:

  1. There is a method (function) on Core.php by the name of draw_error_page(). This function was lacking a die(); statement. Not having a die() statement on draw_error_page() means that it would have been possible to have PHP code continuing to run, even after an error page had been displayed. The die() statement has now been added.

  2. On the Trongate_tokens module there was a method called clean(). This method deletes all from Trongate tokens then finishes with an echo "cleaned"; statement. The method does not get called anywhere and it's actually a left over from a very late night coding session. So, I have removed this. I apologise.

The two errors (which have now been fixed) are classed as "Bad but not catastrophic".

I have investigated some worst case scenarios, with the help of Simon and Jake. Our findings are that somebody who knew what they were doing would be able to add records into the Trongate users table. This is alarming. However, since Trongate authentication and authorisation depends on a network of at least two other database tables (all with appropriate keys) being linked together and since trongate_users has no password column, it means that any malicious database insertion into that table would be benign.

I remind you that Trongate uses PDO from top to bottom which makes SQL injection virtually impossible (I have to say 'virtually' in case there is some hypothetically undiscovered method that I'm not aware of). So, as bad as this error was, it's not catastrophic.

With the second error, the ultimate worst case scenario would be that somebody who knew what they are doing could continually log users out by clearing the tokens table. Again, this is a bad error, however, since it does not expose any credentials and since it does not allow admin rights, it also has to be classed as 'bad but not catastrophic'.

Many thanks to Jake Castelli and Simon Field for identifying these bugs and for helping in coming up with solutions along with a "worst case scenario" assessment.

OTHER TWEAKS

There are a few other tweaks that have been carried out. We have a pull request from Tim Lalev who successfully identified something that wasn't being called. Thank you, Tim.

There's also an '=null' declaration on Trongate tokens that was not required. That has gone.

Finally, Jake identified an unused view file on the Comments module.

  • RECOMMENDATIONS *
  1. Make sure your Trongate engine is updated to v1.3.3018 or higher.
  2. Manually replace your Trongate_tokens module with a latest version (available from Github at: https://github.com/davidjconnelly/trongate-framework)

THANK YOU TROOPS, FOR YOUR EXCELLENT WORK AND FOR HELPING TO KEEP THE TRONGATE FRAMEWORK SAFE!!!

Assets 2
Loading