Posted
about 1 year
ago
There are false reports circulating on MITRE CVE and other security sites about a vulnerability in Agavi that leads to an exploit allowing remote attackers to read arbitrary files on the server’s filesystem.
This vulnerability found by the
... [More]
reporters does, of course, not exist in Agavi itself, but is a problem in the application code (and has been validated as such) of the website where the vulnerability was found.
We have found several vulnerable sites ourselves based on Agavi 0.10 that have apparently all been created by the same agency in France.
Regardless of the version number, Agavi never gives special treatment to specific input parameters and uses them to read files from the file system or perform other potentially unsafe operations.
Agavi’s unique and consistent input validation concept makes sure that developers only have access to data they validated, and in addition to shipping build templates that enable the secure “strict” validation mode by default, Agavi 1.0 natively assumes this most secure setting in code if no mode is given through configuration.
This additional measure further extends Agavi’s lead as the most secure PHP application framework and complements Agavi’s praised approach of taking rigorous measures to prevent developers from accidentially utilizing unvalidated user input not only from request parameters, but also uploaded files, HTTP headers and even cookies, drastically reducing the possibility of CSRF and XSS attacks.
We have notified MITRE/DHS, NVD/NIST, SecurityFocus/Symantec, milw0rm.org and Sebug.net about the error, as well as the original author, “t0fx”.
So far, SecurityFocus have corrected the information on their site and changed the status to “RETIRED”, along with a remark on a sub-page about the mistake.
Also, we have been in contact with “t0fx” in the meantime, who reacted quickly and sent us the following apology:
Yes you are right, after some investigations, whe saw that the bug was due to bad filtered values on the websites we tested the vectors on.
But the vulnerability comes to agavi cms bad installation..
I REALLY apologie for the fact that we didn’t contact you before posting the exploit on milw0rm.com, but a friend of mine, working with me on finding exploits on websites, told me that he contacted you 2 days before… I asked him again this evening and he told me that he forgot to do it…. We usually never post vulnerabilities unless the coder is contacted, so I’M VERY SORRY FOR THAT.
We did not wanted to attempt at your reputation you can trust me…”
He assured me that he would contact the various sites where the vulnerability was posted, and notify them that the provided information is incorrect and that the vulnerability does not exist.
Here is a list of the vulnerabilities in various security databases:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4920 (update 2008-11-06 15:43 UTC: update in progress)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4920 (update 2008-11-06 15:43 UTC: update in progress)
http://www.securityfocus.com/bid/32086 (corrected already)
http://www.sebug.net/exploit/5066/ (update 2008-11-06 08:15 UTC: removed)
http://www.milw0rm.com/exploits/6970 (update 2008-11-06: corrected)
If you know of any other security databases or additional resources or people who might need this information, please forward this message accordingly.
Update 2008-11-07 17:07 UTC: http://www.attrition.org/pipermail/vim/2008-November/002090.html [Less]
Posted
about 1 year
ago
Agavi 0.11.5 is out. It fixes a critical issue in 0.11.4 that broke the definition of nested validators in XML configuration files, and some other minor problems. The timezone database has been updated to 2008h.
A new 1.0 beta is also coming very soon; look out for a separate set of announcements on that topic.
Posted
about 1 year
ago
We rolled a 1.0.0 beta 5 today after discovering that configuration of nested validators has been broken since 0.11.4 RC1 (nobody tested that, apparently, and it was of course merged into 1.0 as well).
We also fixed AgaviDatabase::getName()
... [More]
, and the build system now creates an app/log folder in new projects (again, same as in 0.11.5 RC1).
We also squeezed some improvements into this new beta:
Code coverage collection now works in project unit tests
Command line arguments can be given to project unit tests
Build system’s custom code templates allow fallbacks (e.g. to Agavi’s built-in ones) [Less]
Posted
about 1 year
ago
We rolled 0.11.5 RC 1 today after discovering that configuration of nested validators has been broken since 0.11.4 RC 1 (nobody tested that, apparently…).
We also fixed AgaviDatabase::getName(), and the build system now creates an app/log
... [More]
folder in new projects.
If no problems show up unexpectedly, we’ll roll a final release in the next days. [Less]
Posted
about 1 year
ago
We’re excited to announce that we’ve just released Agavi 1.0.0 beta 4.
This release is another important milestone on our way to the first release candidate.
With a good amount of work done under the hood only, the list of
... [More]
improvements over beta 3 that are worth mentioning is not too long, however:
New validation result info API (via AgaviValidationManager::getReport()) that has more robust support for arguments from different sources (parameters, headers, cookies etc) and is more consistent in general
Several smaller improvements to the build system (Phing 2.3.1 or higher is now required)
Ported validation config handler to new 1.0 namespaces structure (check out RELEASE_NOTES for more info)
Of course, beta 4 also sports a small number of bug fixes in various areas for problems introduced in recent betas.
We’ve also fixed a couple of issues in the new XML configuration subsystem and made it more consistent. It’s now pretty much ready for prime time, so the remaining config handlers will all be ported over the next days.
And last but not least, our brand new testing subsystem has made great progress; in addition to just Actions and Models, you can now also test Views and complete application runs (“flow tests”). Up next: a new testing infrastructure for Agavi itself to replace the current unit tests.
We’d like to ask everyone to test this new beta with existing projects, as we’re now edging closer to finishing all open tasks, and any real-world feedback would be very much appreciated. [Less]
Posted
about 1 year
ago
I’d like to announce my talk “Scaling your development with the Agavi framework” at International PHP Conference 2008 in Mainz, Germany.
It’s currently scheduled for 17:15 on Tuesday, October 28.
On the same evening at around
... [More]
19:30, there will be a roundtable discussions event where PHP users can talk about various kinds of topics. We have been asked to participate at the frameworks table, so please join us there, too, and take your opinions and experiences with you!
If you are coming to the conference and would like us to bring you a free Agavi T-Shirt, shoot me an E-Mail off-list with your size (they are not overly long and tailored slim-fit, so bear that in mind, but for the average guy, M or L will look best). You are, of course, expected to wear them on Tuesday to advertise my talk ;)
We’re also bringing small Agavi business cards with some info on them that you can hand out to people who are interested in the framework.
We from Bitextender are coming with four folks from the Agavi dev team, and plenty of other users from the community have told me they are coming, too, so it should be a nice event where we can meet and greet, and, of course, recruit new users among the conference attendees.
More awesomeness, still secret, is coming over the next weeks, so stay tuned. [Less]
Posted
about 1 year
ago
Agavi 0.11.4 is out!
This is a maintenance release that fixes a couple of minor issues, such as problems in the sample app introduced in 0.11.3 and a missing class in autoload.xml.
Also, it is now possible to specify template implementation mappings in AgaviDoctrineDatabase.
As always, the CHANGELOG has all the details.
Posted
about 1 year
ago
Agavi 0.11.4 RC 1 is now available.
This is a maintenance release that fixes a couple of minor issues, such as problems in the sample app introduced in 0.11.3 and a missing class in autoload.xml.
Also, it is now possible to specify
... [More]
template implementation mappings in AgaviDoctrineDatabase.
As always, the CHANGELOG has all the details.
In other news, a 1.0 beta 4 is coming soon, as well! [Less]
Posted
about 1 year
ago
We’re happy to announce the release of Agavi 1.0 beta 3, available now.
There’s exciting new things in this milestone; I’ll outline the most important ones below:
Brand new module.xml — allows you to specify arbitrary now
... [More]
, like in a settings.xml
Customizable file system structure for modules (configurable on a per-module basis) — this allows you to have all actions, templates, views and configs that belong together in a directory structure, greatly reducing clutter with many sub-actions. Please check out http://trac.agavi.org/ticket/668 for more details and examples (read through the comments!)
Cache group callbacks — allow you do programmatically determine the value of a cache group key or even prevent caching altogether. This finally makes it possible to have different caches for the owner of an item and everyone else, or only enable caching for logged in users etc.
Testing system preview — you can already create unit tests for Models and Actions; more support will be added over time. Check out the sample app; it features a good number of tests, showing off some neat convenience features that make testing a snap. Please play around with it and share your feedback; it’s quite important for us to hear your thoughts and tailor it to your needs.
We’ve also fixed a number of problems in the new XML config subsystem, which, along the way, restores full SOAP functionality. And of course, all fixes and improvements made in 0.11 over the last three weeks are in 1.0, as well.
RELEASE_NOTES, of course, has the thorough info, and the CHANGELOG will tell you all changes in minute detail.
The next milestone is going to be 1.0.0 beta 4, scheduled to be released in three to four weeks. Provided that things go as planned, we will enter the release candidate cycle shortly after that. [Less]
Posted
about 1 year
ago
Agavi 0.11.3 is out. I’m quoting from RELEASE_NOTES:
This maintenance release fixes a couple of minor problems like PEAR package generation, gettext plural form expression handling etc, and introduces some new features:
Accessing
... [More]
array values in attribute holders via foo[bar] is now possible, as it is already with parameter holders
Database handlers now can send arbitrary SQL statements after connecting; useful for SET NAMES utf8 in MySQL etc.
AgaviDoctrineDatabase improvements
AgaviMysqliDatabase adapter added
New timezone database version
Sample app cleanup
FPF has the option to ignore errors during document parsing and skip population (good for production environments)
Assigning of “inner” content to $slots template array can be disabled
The sample app’s SearchEngineSpamAction and the associated elements (PriceFinderModel etc) have been updated to work as the routing pattern always suggested — identify the product by ID, and allow an optional part including the name of the product. This also shows off some more Agavi features now.
A full list of changes can be found in the CHANGELOG file. [Less]
