DaDaBIK®
DaDaBIK 7.3.3 is out, vulnerabilities fixed
Dear all,
DaDaBIK 7.3.3 is out.
This is a maintenance release that fixes an important vulnerability discovered in the last days.
First of all, the vulnerability we fixed with DaDaBIK 7.3 (back in May) was even worst as we described: in addition to what we said, we must say that an authenticated user (or a user of a DaDaBIK application having authentication disabled) could execute arbitrary SQL queries (even INSERT/DELETE/UPDATE) on the DaDaBIK database (or on other databases if the database user used by DaDaBIK had the needed permissions).
The vulnerability WAS actually fixed with DaDaBIK 7.3. Another similar vulnerability, however, was found in the last days; this one fixed by this 7.3.3; again, the vulnerability allowed an attacker to execute arbitrary queries on the DaDaBIK database or on other databases (if the database user used by DaDaBIK had the needed permissions). In this case, if authentication was enabled, not only the attacker needed to be authenticated to exploit the vulnerability, but also he/she needed to belong to the administrators group.
This will probably be the last 7.x version; as you can see, we have focused on security in the last weeks while the upcoming version 8 will have many BIG new features.
Version 8 will be probably published in Autumn, for sure before the end of 2016 so If you buy DaDaBIK 7.3.3 PRO or ENTERPRISE now, you'll get DaDaBIK 8 as a free upgrade.
As usual, if you are in your free upgrade timeframe (1 year for DaDaBIK Enterprise, 6 months for DaDaBIK PRO), you can request your free copy from the upgrade page.
If you have a DaDaBIK ENTERPRISE license and you are out of your free upgrade timeframe, you can also get DaDaBIK 7.3.3 by purchasing a maintenance license (€65), which also provides you with an additional year of free upgrade (email support@dadabik.org to get the instructions).
One more thing: during the last months we have experienced a problem with our mailing system, due to a technical incompatibility between Sendy (the tool we use to send newsletters) and the CURL version used by our hosting provider. The problem is now fixed but the result is that some users (fortunately just a small fraction) haven't received one or more newsletters. Since some of them were related to important security-related issues, please check the blog page to get informed about our past communications. I also suggest you to follow DaDaBIK on Facebook and on Twitter, we always post there important news.
Best,
Eugenio Tacchini
DaDaBIK founder