2022 fall updates wrap-up

Permalink Email to the author Report to webmaster

Yes, we know it wasn't a nice thing to publish changes more often and then throw everything on a single submission (almost) at the end of the year.

We're sorry for that. But we kept working and pushing changes, so all active BardCanvas-powered websites got the updates in time.

The highlights

  • Many modules received minor bug fixes, others got small optimizations.
  • A lot of security issues were fixed.
  • A more reliable session management system was added.

But the big, big change was in the improvements that raised the overall reliability of BardCanvas as a safe and "less hackable" CMS.

Big help came in

During the first weeks of 2022 we fixed A LOT of holes in many modules, most of them related to SQL injection on pwning-allowable areas, but there were still places to check and we didn't have enough resources to deal with them.

Gladly, during the second half of September, a security team knocked on the door of the Onix Development team, and since we're involved in it, we got pulled in by Onix team members.

Dhina & Varma, Sr. Security Analysts at WarX, brought their time and effort to help us provide a better CMS. And we're really grateful for that.

They helped with penetration tests in important BardCanvas-related websites, like Onix and Blockchain Financial. They pointed us in the right direction to fix the holes and prevent attack vectors we haven't covered.

We highlighted in blue the fixes to vulnerabilities detected by WarX in the change lists below.

The big changelogs

Core updated to version

  • Added support for custom system encryption key.
  • Added support for IPinfo.io
  • Refactored IP Geolocation functions.
  • Added option to include password on account creation email for modules that require it.
  • Added flag for error processing on the database controller.
  • Adjustments to the memcache helper.
  • Switched default encryption cypher.
  • Added tokenized cookies for session control.
  • Added setup checks to avoid throwing warnings when invoked after initial run.
  • Added web helper function to detect script injections.
  • Added CSRF treatment methods to the account class.
  • Added sanitization to the device class constructor.
  • Added «HTTP only» flag to user session cookies.
  • Strengthened session control.
  • Tuned SQL injection patterns.

Settings editor updated to version 1.9.5:

  • Added support for "ini" code areas.
  • Removed session keys from memcache on version bumping.

Accounts module updated to version 1.24.4:

  • Tuned browser filter by account engine prefs.
  • Added optional threshold against creating accounts from the same IP.
  • Tuned data in devices table.
  • Refactored IP Geolocation functions.
  • Added extension point on the registration form.
  • Added sanitization and attack checks on:
    • Registrations chart on the accounts manager.
    • Account registration and edition.
    • Devices manager.
    • Admin tools.
    • 2FA toolbox.
  • Added check against invalid characters in display name on registration and edition.
  • Added output sanitization for device labels in the admin browser.

Updates client module updated to version 1.8.1:

  • Minor fixes.

Gallery module updated to version 1.13.11:

  • Added option to inject descriptions from images embedded from the gallery in post contents.
  • Refactored IP Geolocation functions.
  • Added input sanitization on contact form presets extender.

Enhanced security module updated to version 2.16.23:

  • Fixed wrong include in module info file.
  • Wrapped account login extenders inside a toolbox class.

Geonames updated to version 1.1.2:

  • Added log helper on the updater tool.
  • Added support for hosting tables in a shared database.
  • Added input sanitization checks.

Single sign-on module updated to version 0.1.7:

  • Added input sanitization on Facebook helper script.

Posts module updated to version 1.34.19:

  • Added input sanitization on getter of the repository.
  • Added checks against script injections.

Post ratings module updated to version 0.5.5:

  • Added input sanitization vote registration and deletion.

Comments module updated to version 1.12.6:

  • Added input sanitization and attack checks.

Comment likes module updated to version 0.5.4:

  • Added input sanitization vote registration.

 Mobile comments module updated to version 0.0.3:

  • Added input sanitization on the remote editor provider.

Logs viewer updated to version 1.2.6:

  • Added warning suppresion when building the logs index.

BardCommerce updated to version 1.2.18:

  • Added check to allow immediate usage of payment gateways that don't require metadata.
  • Added option on the abstract payment gateway interface to skip product deduction.
  • Fixed wrong check on product price on the product record class.
  • Fixed URL issue on the shop record class.
  • Added identifier on the invoice data form on the single order page.
  • Added missing definition on the `set_order_as.php` helper that threw a fatal error.
  • Added debug info for empty messages saved on an order.
  • Added extender for modifying log entries in the orders repository.
  • Minor markup additions.
  • Added enforcement of visible attributes when no variants are defined on the single product page.
  • Fixed empty message registered on an order when virtual products aren't sent.
  • Added meta getter to the product record.
  • Fixed issue in expiration date check when saving a product.
  • Added extension point at the top of the product composer.
  • Added extension point after preloading in the product saving script.
  • Added extension point on the shop products maintenance browser.
  • Added "publish" method to the products repository.
  • Some style tunings.
  • Added checks on the cart to disable setting out of inventory existence amounts.
  • Added post-description from meta in the product page
  • Added logic to go straight to payment when only one order is confirmed on checkout.

Triklet core updated to version

  • Tuned content filtering functions on incoming messages.
  • Sanitized input on ticket submission.
  • Tuning on the conversation page.
  • Fixed error message issues on the open tickets counter helper.
  • Removed conflictive check on the open tickets counter helper.

Several modules updated to next minor version:

  • Refactored IP Geolocation functions.

That's all for now

We never stop fixing issues and improving our work. We constantly push updates to our updates server and GitHub repos of all open source parts of our system.

Again, sorry for not pushing notifications more often, but we focus on functionality first, then comes the rest.

Thanks for keeping up with us.

2 users rated this post.
Vote now!
Cumulative results: 10 points • Rating: 5