ProjectForge 5.3.0 released
A security review was done by a team of Micromata, Germany. Many thanks to Sergej Michel and Peter Baus (great job)!
- Security release: Please update as soon as is practicable! Some vulnerabilities were discovered (a logged-in-user is always required):
- Security: Cross-Site-Request-Forgery (CSRF): an attacker may send manipulated html-pages to a logged-in-user.
- Security: XSS of JSON-Strings in autocompletion form: an attacker must be a logged-in-user for manipulating autocompletion strings in the data-base.
- Security: Salt and pepper for passwords: an attacker with access to a data-base dump or SHA256 hashed passwords of ProjectForge user's may compromise weak passwords by brute-force attacks or with a rainbow-tables.
- Security: Improved mechanism for avoiding brute-force-attacks on user/password combinations (by username as well as by IP), rest-calls are now included.
- Improved LDAP-support (for ProjectForge as LDAP-master).
- Some minor bugfixes and features are included, as well.
by Kai Reinhard