A week ago we released v1.6.1052 which included a number of security fixes. The issues were reported to us by a security researcher on Saturday 7th June, 2014 (NZT). Within 24 hours, we had reviewed the reports and implemented fixes. The following 24 hours involved testing the updates, which was followed by a public release on Monday 9th June, 2014 (NZT). We then gave everyone a couple of days to update before detailing the security-related changes here.
The issues affected the Bugify web app – not bugify.com or any other apps/services.
- Brute-force attacks on login
There were no measures in place to rate-limit or block brute-force attacks. We have implemented a temporary change to pause for 2 seconds on a failed auth. This will slow down brute-force attacks, but will not stop them (truth is, there aren’t really any solutions to prevent or stop brute-force attacks, but there is more we can – and will – do to mitigate them).
More info: https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
- XSS (Cross site scripting)
There was one area that allowed XSS with label (tags) names. All data is automatically escaped when it is sent to the view, but this data was being loaded from a view helper and did not go through the auto-escaping. This has now been fixed.
More info: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- CSRF (Cross site request forgery)
There were some important forms not using CSRF tokens that have now been fixed.
More info: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
- Full path disclosure
Error pages were showing the full path of the Bugify instance. This has now been fixed.
More info: https://www.owasp.org/index.php/Full_Path_Disclosure
- HTTP headers
X-XSS-Protection and X-Frame-Options have been added.
More info: https://www.owasp.org/index.php/List_of_useful_HTTP_headers