Upcoming security advisory, next release

Dear more.groupware users and developers!

I'd like to let you know about the things happening with more.groupware currently, and to inform you about the upcoming events.

Security Advisory
-----------------

First of all, I have been informed about a upcoming security advisory concerning more.groupware. I feel it our responsibility to explain what this is about.

Due to the increasing popularity and more widespread use more.groupware is gaining, a lot more people without a deeper background knowledge in deploying and securing PHP solutions are installing more.groupware. Those that used it in earlier stages of it's development were probably (at least partly) aware of the security issues that do (or might) arise from it.

The upcoming advisory addresses some of those issues, like cross-site scripting vulnerabilities and file access permission issues. Those are indeed a threat, but in my opinion should not be overrated. Cross-site scripting attacks would need to be initiated by someone with access to the system, so if you can trust your users, this should be not too much an issue. The file permission issues can be solved by securing the web server's access rights to directories more.groupware stores files in (like in the webmail2 or file manager modules).

Another issue that will not be addressed directly in this advisory is the inconsequent use of the rights system. Some modules don't use it at all, some only halfway through. This has long been an issue.

Believe me when I say we do not take this too lightly. We are aware of the fact that those issues may compromise security and valuable data. But we cannot fix this overnight.

Next release
------------

We will probably (a definitive decision will be made soon) release 0.6.8 within the next days, as announced earlier, but it will *not* contain fixes for those security issues. Instead you should see it as
an interim release that brings you other bugfixes and makes the new calendar2 available to more people for testing purposes. This release is not intended as a general purpose upgrade release, use it rather when you are in need of bug fixes or want to try out the new features.

Afterwards we will focus on fixing the security isses mentioned above, and make a new release available as quickly as possible.

If you have further questions, feel free to ask on the mailing lists.

Sincerely,
Karsten Dambekalns

Posted by Karsten Dambekalns 2003-06-25