Dear DaDaBIK users,
we have found a security hole and DaDaBIK 5.1.1 has been published to fix it.
If two DaDaBIK applications were installed under the same domain (e.g. http://mysite.com/dadabik_one/ and http://mysite.com/dadabik_two/) and another page X set a PHPSESSID cookie valid in the whole domain (i.e. having path / ), a user who visited X and login into one of the DaDaBIK application could access the other DaDaBIK application without logging in. X could be for example a normal php page having a session_start() statement.
While this bug is related to a known bug, already documented:
"Malicious users could use PHP scripts for setting session variables to particular values in order to bypass the login procedure and get unauthorized access to DaDaBIK. These scripts must be hosted on the same domain where the DaDaBIK target installation is hosted." the fact that it may occur even without the presence of a malicious script made it even worst.
A new parameters ($secret_key) is now available and required in config.php; its value, which must be secret and different for each DaDaBIK application you create, fixes this known bug, including the case explained above.
The Wordpress plugin has also been upgraded and requires to set a $secret_key variable as well (see installation instructions for details).
DaDaBIK 5 PRO and ENTERPRISE users can request DaDaBIK 5.1.1 for free writing to payments at dadabik dot org; DaDaBIK 5 Basic users who have purchased DaDaBIK in the last two months are eligible to do the same.
All the other users, even if they are not anymore eligible for a free upgrade, can apply the security patch manually by following these instructions. Please note that the instructions cannot be used for DaDaBIK 5 PRO and ENTERPRISE.
Dear DaDaBIK users,
we are glad to announce that dadabik 5.1 is out with Two big improvements:
1) Wordpress integration (PRO and ENTERPRISE versions): a DaDaBIK application can now be integrated into a Wordpress site through a dedicated wrapper plug-in. Users authenticated through Wordpress can also be automatically authenticated into DaDaBIK too, without doing the log-in again.
This allows for an unbelievable number of new scenarios where dadabik can be used. We also have a new demo showing Wordpress integration, see the demo page.
2) LDAP authentication (ENTERPRISE version)
This is a long-awaited feature, especially in enterprise environments where the same user accounts list needs to be shared across several applications. Both OpenLDAP and Microsoft Active Directory are supported.
DaDabik 5.1 also comes with a long list of bug fixes: to see the complete list of new features, changes and fixes see the change log.
Last note: The survey about the next dadabik features is still open and will be open until mid February: if the votes trend will be confirmed, the next dadabik feature will probably be the Multi-select listboxes and checkboxes
Thanks to everybody who took the time to vote and to send us feedback and possible enhancement for DaDaBIK.
about two weeks ago we released DaDaBIK 5; we are very happy to say that so far it has been a great success, even beyond expectations.Thanks a lot for your support and for all the positive messages I have received in my personal mailbox!
While developing DaDaBIK 5, we took into serious consideration user requests, suggestions and needs.
We want to continue on this path for the next releases, asking which is the feature you consider the most important for the future DaDaBIK. Please take a few seconds to
vote in the poll
If your favourite feature is not in the list you can also add it.
I am really glad and released to announce that DaDaBIK 5 is finally here!
DaDaBIK 5 comes with a new GUI and tons of new features, including:
- A completely new granular permissions manager
- PHP hooks to extend DaDaBIK capabilities
- HTML templates for data grids.
I am sure it will bring its users to a new level in terms of Web Database Application Rapid Development, please take the time to check it out the BRAND NEW DEMO.
You can find all the (20+) new features, changes, security and other fixes reviewing the change log. As you can see, also the Website has been completely re-designed.
There are now three versions of DaDaBIK: BASIC, PRO and ENTERPRISE, you can review the features of each here
All the customers who bought DaDaBIK in the last two months can upgrade to DaDaBIK 5 PRO for free and to DaDaBIK enterprise paying €50.
All Supporters and Patrons (customers who bought DaDaBIK paying €50/€100, at any time) can upgrade to DaDaBIK 5 ENTERPRISE for free.
Write to payments at dadabik dot org if you want to use your upgrade option.
version 4.6 stable is now available. It provides several bug fixes, you can find the complete list in the change log.
The security alert is about the documentation:
"The documentation section about multiple instances of DaDaBIK has been (at least for the moment) removed. That section was not up-to-date and referred to a version of DaDaBIK which still didn't have the authentication feature: the result is that if users followed those instructions having authentication ON, a user authenticated on the first (not admin) instance could also access the /admin instance without authentication. This is not a proper bug but could lead to a false sense of security."
DaDaBIK 5 will be available in about two weeks; having about twenty new features, it will bring users to a new level in terms of Web Database Application Rapid Development