Thursday, 2009-02-05

» Agavi 1.0.0 Beta 8 Includes a Critical Security Fix

Agavi 1.0.0 Beta 8 Includes a Critical Security Fix

A new Agavi 1.0.0 Beta 8 was released late yesterday (European time). As usual, the new version contains several improvements and bug fixes but also a fix to a critical cross-site scripting vulnerability described in http://trac.agavi.org/ticket/1019. The vulnerability actually affects, as far as we know, only Internet Explorer 6 and 7 which fail to encode URL according to standards.

Affected versions:

  • Agavi 0.11 up to and including 0.11.6-RC2
  • Agavi 1.0 up to and including 1.0.0-beta7

Solutions

  • Upgrade to 0.11.6 or 1.0.0 Beta 8
  • Patch your Agavi with a hot fix attached to the ticket
  • Use one of the workarounds described in the ticket.

Tags

» Permalink

Comments (View)
Tuesday, 2008-11-25

» Agavi 1.0.0 Beta 6

Agavi 1.0.0 Beta 6 - Even More Secure

Default: Strict Validation ALWAYS

Agavi has a very special input validation system which, by default, will not let your application use any unvalidated input data. And this doesn’t mean only POST or GET parameters in HTTP world but also cookies and headers. Remember, those too are user input and must be considered insecure.

This strict validation mode has been the default setting for production environment for quite some time already but after Agavi was blamed for somebody’s poor input validation it was made default for development environments too. It had already been discussed earlier because different defaults for different environments was sometimes confusing and caused applications to break when moved to production.

Production-ready Exception Templates

Because people seem to be too lazy to configure exception templates for production use a new set of default templates was added to Agavi 1.0.0 Beta 6.

Download Agavi: http://www.agavi.org/download

Tags

» Permalink

Comments (View)
page 1 of 1