We’ve released version 1.6 of FixMyStreet (previously numbered 1.5.5).
This release includes important security fixes:
- A vulnerability in login email sending that could allow an account to be hijacked by a third party;
- Alterations to token logging in and timeout behaviour;
- A dependency update to fix an issue with Unicode characters in passwords.
More details on those items below. Other items in this release include a Chinese translation, a bug fix with shrunken update photos, and some front end improvements, such as a ‘hamburger’ menu icon and an easier Report button on mobile, and resized map pins based on zoom level.
See the full list of changes over on GitHub.
Login email account hijacking: Due to the way parameters were passed into the token table in the database, it was possible for someone to request a login email for one email address, but have the login email sent to different address. This would allow a third party to log in as someone else, letting them make reports or updates as that person.
The code has been rewritten so all user parameter passing goes through central functions that return only one parameter even if the user has passed multiple parameters. More details of this class of vulnerability.
Email authentication tokens: Problem confirmation tokens had to be used within a month; this now applies to all confirmation tokens, and email sign in tokens are valid for a day. Using those tokens after confirmation will redirect correctly, but no longer log you in; links in alert emails will no longer log you in.
Unicode characters in passwords: The package our code uses to encode database columns, DBIx::Class::EncodedColumn, could have issues with Unicode characters provided to it. This was fixed by upgrading the version we use.