Security Changelog

Times shown are UTC unless otherwise stated

Our MIDAS Software

v4.35 Build 26/12/23 @ 23:06 UTC

Add 'spellcheck="false"' parameter to all password fields and some text fields to avoid spell-jacking data leaks

v4.34 Build 22/08/23 @ 09:38 UTC

Sanitize "HTTP_USER_AGENT" in stats module
Auto-complete turned off for LDAP Password field
Downloading/Exporting files now uses correct MIME type instead of "application/download"

v4.29 Build 26/12/2021 @ 10:36 UTC

Improved: Taint checking

v4.29 Build 16/12/2021 @ 23:48 UTC

Improved: Taint checking

v4.27 Build 22/07/2021 @ 11:20 UTC

Fixed: Stored XSS in day notes
Fixed: Reflected XSS when adding new resources/resource cats
Fixed: Reflected XSS when filtering the booking grid
Fixed: Stored XSS when saving some settings
Fixed: Reflected XSS when searching similar bookings
Fixed: Reflected XSS when searching clients from Client/Org field on Add/Modify Bookings screen
Fixed: Reflected XSS when adding clients
Fixed: Reflected XSS when adding/modifying custom fields
Fixed: Reflected XSS when sending email
Fixed: Reflected XSS in invoicing module
Fixed: Reflected XSS when passing additional data to theme.pl
Fixed: XML injection in Recent Activity Log
Fixed: http parameter pollution when setting default theme

v4.28 Build 18/07/2021 @ 02:32 UTC

Fixed: Reflected XSS in js.pl
Fixed: Reflected XSS in index.pl
Fixed: Possible for malicious attacker with valid credentials to create endless backups

v4.28 Build 07/07/2021 @ 23:17 UTC

New: Database Backups are now encrypted at rest (Requires OpenSSL>=1.1.1)
Improved: Stripe Secret Key is no longer displayed on Manage MIDAS -> Invoicing screen
Improved: Disabling GET method in more places

v4.27 Build 10/06/2021 @ 11:59 UTC

Improved: Database backup filename masking

v4.27 Build 10/06/2021 @ 11:03 UTC

New: Public Booking/Request flood control

v4.27 Build 08/06/2021 @ 19:07 UTC

Fixed: Possible for a malicious attacker to publicly book a room for free if venue rates set to "per person"

v4.27 Build 08/06/2021 @ 13:11 UTC

Fixed: Possible for a malicious attacker to overbook when making a public booking

v4.27 Build 08/06/2021 @ 12:27 UTC

Fixed: Possible for a malicious attacker to book/request/see availability of non-public venues or resources

v4.27 Build 19/05/2021 @ 14:14 UTC

Mitigation of privilege escalation vulnerability

v4.27 Build 18/05/2021 @ 18:39 UTC

Improved: Input sanitization
XML External Entities (XEE) / Billion Laughs Attack hardening

v4.27 Build 17/05/2021 @ 18:05 UTC

Improved: Input sanitization

API v2.41 07/04/2021 @ 00:57 UTC

New: v2.41 of the MIDAS API now allows API key regeneration

v4.26 Build 14/11/2020 @ 02:33 UTC

Improved: Mitigation of host header poisoning

v4.25 Build 30/07/2020 @ 22:29 UTC

Improved: Input sanitization

v4.25 Build 30/07/2020 @ 18:08 UTC

Fixed: Stored XSS vulnerability in relation to adding a new venue

v4.25 Build 27/07/2020 @ 10:17 UTC

Fixed: Reflected XSS vulnerability in help module

v4.25 Build 15/07/2020 @ 13:04 UTC

Fixed: Reflected XSS vulnerability when adding a new venue

v4.25 Build 15/07/2020 @ 11:34 UTC

Fixed: No Flood Control on Password Reset Request email notifications

v4.25 Build 14/07/2020 @ 23:37 UTC

Improved: If JS debugging enabled, JS errors no longer appear in server access logs

v4.25 Build 12/07/2020 @ 22:13 UTC

Fixed: Reflected CSS vulnerability in password change module
Fixed: Store XSS vulnerability when adding clients

v4.25 Build 12/07/2020 @ 15:34 UTC

Fixed: SQLi vulnerability in monthly overview
Fixed: JS injection vulnerability in help
Fixed: Reflected XSS vulnerability when adding/updating day notes
Fixed: Reflected XSS vulnerability in search module
Fixed: Reflected XSS vulnerability in stats module
Fixed: Reflected XSS vulnerability in invoicing module
Fixed: Reflected XSS vulnerability in print module

v4.25 Build 11/07/2020 @ 23:56 UTC

Fixed: Reflected XSS vulnerabilities when adding bookings
Fixed: Reflected XSS vulnerability when adding a new client at the same time as bookings
Fixed: Stored XSS vulnerabilities in recent activity log

v4.25 Beta Build 01/07/2020 @ 13:09 UTC

Improved: Minimum password strength allowed now "Fair" (previous minimum was "weak")
Improved: Enforced 64 char max length for passwords, as per OWASP best practice
Improved: bcrypt work factor increased to 12 (previously 10), as per OWASP best practice
Improved: Cookie obfuscation

v4.25 Beta Build 30/06/2020 @ 15:33 UTC

Fixed: Credentials not revalidated if existing session active, autologin enabled, and login screen accessed

v4.25 Beta Build 14/06/2020 @ 17:48 UTC

New: Setting to notify users each time their account is logged into from an unfamiliar device
Change: Dropped Math::Random::Secure usage in favor of Crypt::PRNG (Math::Random::Secure hasn't been updated in over 3 years, and depends upon Crypt::Random::Source, which itself relies on Any::Moose, which is deprecated)
Fixed: Reflected XSS vulnerability when modifying a booking
Fixed: 2 Reflected XSS vulnerabilities when viewing invoices
Fixed: Reflected XSS vulnerability when displaying advanced print options
Fixed: Reflected XSS vulnerability when printing client's bookings
Fixed: Internal Server Error produced if invalid parameters passed when locating similar bookings
Fixed: Internal Server Error produced if invalid parameters passed when composing email
Fixed: SQLi vulnerability in recent activity log
Fixed: Format String Attack / CRLF injection vulnerability when logging in
Fixed: Reflected XSS vulnerability in public booking/requesting
Fixed: SQLi vulnerability in watch notification settings
Fixed: SQLi vulnerability when messaging other users
Fixed: SQLi vulnerability in invoicing module
Fixed: SQLi vulnerability when processing booking requests

Our Network

Network Wide 27/04/2024 @ 19:00 UTC

Change: FTP deprecated

mid.as 20/12/2023 @ 23:59 UTC

Change: Migrated server OS from CentOS to AlmaLinux

mid.as 03/07/2021 @ 12:00 UTC

New: Migrated hosted clients from MySQL to MariaDB and implemented at rest database encryption

mid.as 17/05/2021 @ 16:30 UTC

Fixed: Captcha replay vulnerability on mid.as

midas.hosting 02/04/2021 @ 13:05 UTC

Fixed: Missing security headers on various *.midas.hosting sub domains

Network Wide 24/03/2021 @ 01:45 UTC

Updated: Firewall Rules

Network Wide 15/03/2021 @ 01:45 UTC

Updated: Firewall Rules

mid.as 13/01/2021 @ 11:37 UTC

Fixed: Email flood control weakness in mailing list subscription

mid.as 12/12/2020 @ 18:20 UTC

Fixed: Information disclosure on midas.network

mid.as 27/07/2020 @ 10:17 UTC

Fixed: Reflected XSS vulnerability in online help documentation

Email 21/07/2020 @ 14:00 UTC

New: PGP public key published allowing our security team to be contacted securely via encrypted email

mid.as 20/07/2020 @ 22:50 UTC

Updated: DKIM implementation

mid.as 18/07/2020 @ 00:31 UTC

Updated: Firewall Rules
Updated: SPF Records
Improved: Closed unused ports

mid.as 16/07/2020 @ 13:20 UTC

Improved: Migrated PayPal payment method to use EWP (Encrypted Website Payments)

mid.as 16/07/2020 @ 00:30 UTC

Improved: Added flood control to mailing list subscription confirmation

mid.as 15/07/2020 @ 16:36 UTC

Improved: Prevented trial sign ups from disposable email domains

mid.as 15/07/2020 @ 15:45 UTC

Improved: Implemented captcha for new affiliate sign ups

blog.mid.as 15/07/2020 @ 11:05 UTC

Fixed: CORS vulnerability in blog.mid.as

beta.mid.as 15/07/2020 @ 10:09 UTC

Fixed: Reflected XSS vulnerability in language editor

Network Wide 15/07/2020 @ 09:36 UTC

Fixed: Same Site Scripting vulnerability

Network Wide 12/07/2020 @ 00:33 UTC

Change: Blocked webmail access
Improved: Hardening against Slow HTTP attacks

Network Wide 10/07/2020 @ 16:51 UTC

New: Implemented Referrer-Policy HTTP header
Improved: Strict-Transport-Security HTTP header implementation
Improved: X-Frame-Options HTTP header implementation

security.midas.network 10/07/2020 @ 14:04 UTC

New: Launched security.midas.network (this website)

mid.as 02/06/2020 @ 10:55 UTC

Fixed: XSS vulnerability when signing up for a free trial