Hi everyone. DL 0.11 is about to be released, and includes a plethora of security fixes and enhancements. >From the current NEWS file:
---- * Fix CSRF vulnerability of the admin interface (discovered by Dirk Reimers). * Mitigations against session fixation attacks (discovered by Dirk Reimers). * Improved client-side validation of the forms (with HTML5/JS where available). * Password hashing for the user/ticket/grant DB switched to PHPass. * Progress bar updating improvements. * Minor bug/cosmetic fixes. Please note: DL 0.11 requires a database schema update! Please read the database upgrade procedure in the README! Upgrading to DL 0.11 has implication for existing users. The new hashing scheme limits usernames to 60 characters and passwords to 72 to prevent DoS attacks. Users having usernames/passwords exceeding these limits won't be able to login after the upgrade, and can only be managed manually through the command line. The password hash of existing users is automatically rehashed using the new scheme upon a successful login (no password change is required). The optional password of tickets and grants is similarly affected and upgraded transparently upon successful usage. Tickets/grants having passwords longer than 72 characters though will require a manual password reset. ---- All versions of DL prior to 0.11 are affected. Since SF/CSRF require a targeted attack, I would rather have these fixes peer-review/tested before fixing them twice. All versions prior to DL 0.11 also use a non-salted MD5 hash for stored passwords. This was always known to be weak, and nowadays doesn't offer a lot of protection against brute force attacks if passwords are medium-short. Since tickets can be stored indefinitely, DL offers a smooth upgrade path where the passwords are re-hashed using the new method without requiring a password reset in an attempt to migrate as many as old hashes as possible quickly. I tested the current build on a few small systems, but as usual more testing would be greatly appreciated before an actual release: https://github.com/wavexx/dl/archive/2b95d05c7ec6d24cf6c407206029019850c6698b.zip Bests.
