Reporting Guidelines
Contact our Security Team
Security Advisories
Audits
Security Changelog
Credits
☰
Security Insight:
Read our blog post on the evolution of Password Storage in MIDAS
Security Changelog
Times shown are UTC unless otherwise stated
Our MIDAS Software
v4.37 Build 03/09/24 @ 07:09 UTC
Where possible, 2FA login codes are now generated by a
cryptographically secure pseudorandom number generator
.
v4.35 Build 26/12/23 @ 23:06 UTC
Add 'spellcheck="false"' parameter to all password fields and some text fields to avoid spell-jacking data leaks
v4.34 Build 22/08/23 @ 09:38 UTC
Sanitize "HTTP_USER_AGENT" in stats module
Auto-complete turned off for LDAP Password field
Downloading/Exporting files now uses correct MIME type instead of "application/download"
v4.29 Build 26/12/2021 @ 10:36 UTC
Improved: Taint checking
v4.29 Build 16/12/2021 @ 23:48 UTC
Improved: Taint checking
v4.27 Build 22/07/2021 @ 11:20 UTC
Fixed: Stored XSS in day notes
Fixed: Reflected XSS when adding new resources/resource cats
Fixed: Reflected XSS when filtering the booking grid
Fixed: Stored XSS when saving some settings
Fixed: Reflected XSS when searching similar bookings
Fixed: Reflected XSS when searching clients from Client/Org field on Add/Modify Bookings screen
Fixed: Reflected XSS when adding clients
Fixed: Reflected XSS when adding/modifying custom fields
Fixed: Reflected XSS when sending email
Fixed: Reflected XSS in invoicing module
Fixed: Reflected XSS when passing additional data to theme.pl
Fixed: XML injection in Recent Activity Log
Fixed: http parameter pollution when setting default theme
v4.28 Build 18/07/2021 @ 02:32 UTC
Fixed: Reflected XSS in js.pl
Fixed: Reflected XSS in index.pl
Fixed: Possible for malicious attacker with valid credentials to create endless backups
v4.28 Build 07/07/2021 @ 23:17 UTC
New: Database Backups are now encrypted at rest (Requires OpenSSL>=1.1.1)
Improved: Stripe Secret Key is no longer displayed on Manage MIDAS -> Invoicing screen
Improved: Disabling GET method in more places
v4.27 Build 10/06/2021 @ 11:59 UTC
Improved: Database backup filename masking
v4.27 Build 10/06/2021 @ 11:03 UTC
New: Public Booking/Request flood control
v4.27 Build 08/06/2021 @ 19:07 UTC
Fixed: Possible for a malicious attacker to publicly book a room for free if venue rates set to "per person"
v4.27 Build 08/06/2021 @ 13:11 UTC
Fixed: Possible for a malicious attacker to overbook when making a public booking
v4.27 Build 08/06/2021 @ 12:27 UTC
Fixed: Possible for a malicious attacker to book/request/see availability of non-public venues or resources
v4.27 Build 19/05/2021 @ 14:14 UTC
Mitigation of privilege escalation vulnerability
v4.27 Build 18/05/2021 @ 18:39 UTC
Improved: Input sanitization
XML External Entities (XEE) / Billion Laughs Attack hardening
v4.27 Build 17/05/2021 @ 18:05 UTC
Improved: Input sanitization
API v2.41 07/04/2021 @ 00:57 UTC
New:
v2.41
of the
MIDAS API
now allows API key regeneration
v4.26 Build 14/11/2020 @ 02:33 UTC
Improved: Mitigation of host header poisoning
v4.25 Build 30/07/2020 @ 22:29 UTC
Improved: Input sanitization
v4.25 Build 30/07/2020 @ 18:08 UTC
Fixed: Stored XSS vulnerability in relation to adding a new venue
v4.25 Build 27/07/2020 @ 10:17 UTC
Fixed: Reflected XSS vulnerability in help module
v4.25 Build 15/07/2020 @ 13:04 UTC
Fixed: Reflected XSS vulnerability when adding a new venue
v4.25 Build 15/07/2020 @ 11:34 UTC
Fixed: No Flood Control on Password Reset Request email notifications
v4.25 Build 14/07/2020 @ 23:37 UTC
Improved: If JS debugging enabled, JS errors no longer appear in server access logs
v4.25 Build 12/07/2020 @ 22:13 UTC
Fixed: Reflected CSS vulnerability in password change module
Fixed: Store XSS vulnerability when adding clients
v4.25 Build 12/07/2020 @ 15:34 UTC
Fixed: SQLi vulnerability in monthly overview
Fixed: JS injection vulnerability in help
Fixed: Reflected XSS vulnerability when adding/updating day notes
Fixed: Reflected XSS vulnerability in search module
Fixed: Reflected XSS vulnerability in stats module
Fixed: Reflected XSS vulnerability in invoicing module
Fixed: Reflected XSS vulnerability in print module
v4.25 Build 11/07/2020 @ 23:56 UTC
Fixed: Reflected XSS vulnerabilities when adding bookings
Fixed: Reflected XSS vulnerability when adding a new client at the same time as bookings
Fixed: Stored XSS vulnerabilities in recent activity log
v4.25 Beta Build 01/07/2020 @ 13:09 UTC
Improved: Minimum password strength allowed now "Fair" (previous minimum was "weak")
Improved: Enforced 64 char max length for passwords, as per OWASP best practice
Improved: bcrypt work factor increased to 12 (previously 10), as per OWASP best practice
Improved: Cookie obfuscation
v4.25 Beta Build 30/06/2020 @ 15:33 UTC
Fixed: Credentials not revalidated if existing session active, autologin enabled, and login screen accessed
v4.25 Beta Build 14/06/2020 @ 17:48 UTC
New: Setting to notify users each time their account is logged into from an unfamiliar device
Change: Dropped Math::Random::Secure usage in favor of Crypt::PRNG (Math::Random::Secure hasn't been updated in over 3 years, and depends upon Crypt::Random::Source, which itself relies on Any::Moose, which is deprecated)
Fixed: Reflected XSS vulnerability when modifying a booking
Fixed: 2 Reflected XSS vulnerabilities when viewing invoices
Fixed: Reflected XSS vulnerability when displaying advanced print options
Fixed: Reflected XSS vulnerability when printing client's bookings
Fixed: Internal Server Error produced if invalid parameters passed when locating similar bookings
Fixed: Internal Server Error produced if invalid parameters passed when composing email
Fixed: SQLi vulnerability in recent activity log
Fixed: Format String Attack / CRLF injection vulnerability when logging in
Fixed: Reflected XSS vulnerability in public booking/requesting
Fixed: SQLi vulnerability in watch notification settings
Fixed: SQLi vulnerability when messaging other users
Fixed: SQLi vulnerability in invoicing module
Fixed: SQLi vulnerability when processing booking requests
Our Network
Network Wide 27/04/2024 @ 19:00 UTC
Change: FTP deprecated
mid.as 20/12/2023 @ 23:59 UTC
Change: Migrated server OS from CentOS to AlmaLinux
mid.as 03/07/2021 @ 12:00 UTC
New:
Migrated hosted clients from MySQL to MariaDB and implemented at rest database encryption
mid.as 17/05/2021 @ 16:30 UTC
Fixed: Captcha replay vulnerability on mid.as
midas.hosting 02/04/2021 @ 13:05 UTC
Fixed: Missing security headers on various *.midas.hosting sub domains
Network Wide 24/03/2021 @ 01:45 UTC
Updated: Firewall Rules
Network Wide 15/03/2021 @ 01:45 UTC
Updated: Firewall Rules
mid.as 13/01/2021 @ 11:37 UTC
Fixed: Email flood control weakness in mailing list subscription
mid.as 12/12/2020 @ 18:20 UTC
Fixed: Information disclosure on midas.network
mid.as 27/07/2020 @ 10:17 UTC
Fixed: Reflected XSS vulnerability in online help documentation
Email 21/07/2020 @ 14:00 UTC
New: PGP public key published allowing our security team to be
contacted securely via encrypted email
mid.as 20/07/2020 @ 22:50 UTC
Updated: DKIM implementation
mid.as 18/07/2020 @ 00:31 UTC
Updated: Firewall Rules
Updated: SPF Records
Improved: Closed unused ports
mid.as 16/07/2020 @ 13:20 UTC
Improved: Migrated PayPal payment method to use EWP (Encrypted Website Payments)
mid.as 16/07/2020 @ 00:30 UTC
Improved: Added flood control to mailing list subscription confirmation
mid.as 15/07/2020 @ 16:36 UTC
Improved: Prevented trial sign ups from disposable email domains
mid.as 15/07/2020 @ 15:45 UTC
Improved: Implemented captcha for new affiliate sign ups
blog.mid.as 15/07/2020 @ 11:05 UTC
Fixed: CORS vulnerability in blog.mid.as
beta.mid.as 15/07/2020 @ 10:09 UTC
Fixed: Reflected XSS vulnerability in language editor
Network Wide 15/07/2020 @ 09:36 UTC
Fixed: Same Site Scripting vulnerability
Network Wide 12/07/2020 @ 00:33 UTC
Change: Blocked webmail access
Improved: Hardening against Slow HTTP attacks
Network Wide 10/07/2020 @ 16:51 UTC
New: Implemented Referrer-Policy HTTP header
Improved: Strict-Transport-Security HTTP header implementation
Improved: X-Frame-Options HTTP header implementation
security.midas.network 10/07/2020 @ 14:04 UTC
New: Launched security.midas.network (this website)
mid.as 02/06/2020 @ 10:55 UTC
Fixed: XSS vulnerability when signing up for a free trial