ProjectForge Security release 5.3

A security review for ProjectForge was done by a team of Micromata, Germany. Many thanks to Sergej Michel and Peter Baus (great job)!

  1. Security release: Please update as soon as is practicable! Some vulnerabilities were discovered (a logged-in-user is always required):
  2. Security: Cross-Site-Request-Forgery (CSRF): an attacker may send manipulated html-pages to a logged-in-user.
  3. Security: XSS of JSON-Strings in autocompletion form: an attacker must be a logged-in-user for manipulating autocompletion strings in the data-base.
  4. Security: Salt and pepper for passwords: an attacker with access to a data-base dump or SHA256 hashed passwords of ProjectForge user's may compromise weak passwords by brute-force attacks or with a rainbow-tables.
  5. Security: Improved mechanism for avoiding brute-force-attacks on user/password combinations (by username as well as by IP), rest-calls are now included.
  6. Improved LDAP-support (for ProjectForge as LDAP-master).
  7. Some minor bugfixes and features are included, as well.

by Jule Witte

Go back