v11.16.0 has been released!<\/strong> This released was pushed out to fix a fairly critical security issue dealing with CSRF<\/strong>. Below is the change log, which we think paints a good picture of what the problem is, and what we did to remediate it. <\/p>\n\n\n\n If you’re a customer\/client of ours that we’ve provided an installation for, please get in touch<\/a>, so that we can talk about getting you upgraded. If you don’t know exactly what coverage you have, we can help you look up your order information. Generally:<\/strong><\/p>\n\n\n\n This version of Dada Mail has been released primarily to fix a security vulnerability dealing with Cross-Site Request Forgery (CSRF)<\/b>.<\/p>\n\n In theory (and confirmed), a bad actor could give someone a carefully crafted web page via email, SMS, etc, that – when visited, could allow them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password – which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins.<\/p>\n\n For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party.<\/p>\n\n Security enhancements added to v11.16.0:<\/p>\n\n CSRF protection to all list control panel screens (including plugins) when logged in<\/p>\n\n<\/li>\n Initial CSRF protection on the actual list control panel login form is enabled by default<\/p>\n\n This feature was available in Dada Mail, but was not enabled by default<\/p>\n\n<\/li>\n CSRF protection for any a user who logs into their profile would be able to do when logged in<\/p>\n\n<\/li>\n CSRF protection for the initial profile login form<\/p>\n\n<\/li>\n Login cookies for both the list control panel and profiles have the, “SameSite” flag added, and set to, “Lax”<\/p>\n\n<\/li>\n Login cookies for both the list control panel and profiles have the, “secure” flag added, and set to, “1”, if the connection is under https<\/p>\n\n<\/li>\n Google reCAPTCHA added to the Change List Password, Change Dada Mail Root Password, Profile login, and Profile Registration<\/p>\n\n You’ll want to set up Google reCAPTCHA in the included Dada Mail installer.<\/p>\n\n<\/li>\n<\/ul>\n\n Here’s an overview of CSRF:<\/p>\n\n https:\/\/owasp.org\/www-community\/attacks\/csrf<\/a><\/p>\n\n v11.16.0 comes with Cross-Site Request Forgery prevention using the Double Submit Cookie<\/b> pattern: (https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie<\/a>).<\/p>\n\n To enhance this, we also “HMAC the token with a secret key known only by the server and place this value in a cookie” (as described in the above doc), and set cookies to have, SameSite<\/b> set to, Lax<\/b> (instead of not setting SameSite at all), (https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute<\/a>),<\/p>\n\n Run Dada Mail under https<\/p>\n\n Running Dada Mail under https will protect sensitive data from being able to read in transmission.<\/p>\n\n<\/li>\n Set up Google reCAPTCHA<\/p>\n\n Google reCAPTCHA helps stop automated submission of forms in Dada Mail.<\/p>\n\n<\/li>\n<\/ul>\n\n Please see:<\/p>\n\n https:\/\/dadamailproject.com\/d\/install_dada_mail-advanced_configuration.pod.html#Configure-Global-API-Options<\/a><\/p>\n\n and,<\/p>\n\n https:\/\/dadamailproject.com\/d\/features-restful_web_services.pod.html#Global-Public-and-Private-Keys<\/a><\/p>\n\n Previous order was email address alphabetically\/descending<\/p>\n\n https:\/\/github.com\/justingit\/dada-mail\/issues\/1067<\/a><\/p>\n\n
\n\n\n\n11.16.0<\/h1>\n\n
Focus<\/h2>\n\n
Enhanced Cross-Site Request Forgery (CSRF) Prevention<\/h3>\n\n
\n\n
More Details<\/h3>\n\n
Additional Suggestions to Help Harden Security<\/h3>\n\n
\n\n
Features<\/h2>\n\n
RESTFUL API supports Global Public\/Private Keys, Creating New Mailing Lists<\/h3>\n\n
Changes<\/h2>\n\n
Default Membership: View address order is now Date Added\/Subscription Date\/Descending<\/h3>\n\n
Bugfixes<\/h2>\n\n
Switching between lists accepts “GET” requests<\/h3>\n\n
“logout” accepts “GET” requests<\/h3>\n\n