Blog

Security Alert, DaDaBIK 5.1.1 is out, please upgrade

Dear DaDaBIK users,
we have found a security hole and DaDaBIK 5.1.1 has been published to fix it.

If two DaDaBIK applications were installed under the same domain (e.g. http://mysite.com/dadabik_one/ and http://mysite.com/dadabik_two/) and another page X set a PHPSESSID cookie valid in the whole domain (i.e. having path / ), a user who visited X and login into one of the DaDaBIK application could access the other DaDaBIK application without logging in. X could be for example a normal php page having a session_start() statement.

While this bug is related to a known bug, already documented:
"Malicious users could use PHP scripts for setting session variables to particular values in order to bypass the login procedure and get unauthorized access to DaDaBIK. These scripts must be hosted on the same domain where the DaDaBIK target installation is hosted." the fact that it may occur even without the presence of a malicious script made it even worst.

A new parameters ($secret_key) is now available and required in config.php; its value, which must be secret and different for each DaDaBIK application you create, fixes this known bug, including the case explained above.

The Wordpress plugin has also been upgraded and requires to set a $secret_key variable as well (see installation instructions for details).

DaDaBIK 5 PRO and ENTERPRISE users can request DaDaBIK 5.1.1 for free writing to payments at dadabik dot org; DaDaBIK 5 Basic users who have purchased DaDaBIK in the last two months are eligible to do the same.

All the other users, even if they are not anymore eligible for a free upgrade, can apply the security patch manually by following these instructions. Please note that the instructions cannot be used for DaDaBIK 5 PRO and ENTERPRISE.

Top