Security Insight: Read our blog post on the evolution of Password Storage in MIDAS

Security Changelog

Our MIDAS Software

v4.25 Build 30/07/2020 @ 22:29 UTC
  • Improved: Input sanitization

v4.25 Build 30/07/2020 @ 18:08 UTC
  • Fixed: Stored XSS vulnerability in relation to adding a new venue

v4.25 Build 27/07/2020 @ 10:17 UTC
  • Fixed: Reflected XSS vulnerability in help module

v4.25 Build 15/07/2020 @ 13:04 UTC
  • Fixed: Reflected XSS vulnerability when adding a new venue

v4.25 Build 15/07/2020 @ 11:34 UTC
  • Fixed: No Flood Control on Password Reset Request email notifications

v4.25 Build 14/07/2020 @ 23:37 UTC
  • Improved: If JS debugging enabled, JS errors no longer appear in server access logs

v4.25 Build 12/07/2020 @ 22:13 UTC
  • Fixed: Reflected CSS vulnerability in password change module
  • Fixed: Store XSS vulnerability when adding clients

v4.25 Build 12/07/2020 @ 15:34 UTC
  • Fixed: SQLi vulnerability in monthly overview
  • Fixed: JS injection vulnerability in help
  • Fixed: Reflected XSS vulnerability when adding/updating day notes
  • Fixed: Reflected XSS vulnerability in search module
  • Fixed: Reflected XSS vulnerability in stats module
  • Fixed: Reflected XSS vulnerability in invoicing module
  • Fixed: Reflected XSS vulnerability in print module

v4.25 Build 11/07/2020 @ 23:56 UTC
  • Fixed: Reflected XSS vulnerabilities when adding bookings
  • Fixed: Reflected XSS vulnerability when adding a new client at the same time as bookings
  • Fixed: Stored XSS vulnerabilities in recent activity log

v4.25 Beta Build 01/07/2020 @ 13:09 UTC
  • Improved: Minimum password strength allowed now "Fair" (previous minimum was "weak")
  • Improved: Enforced 64 char max length for passwords, as per OWASP best practice
  • Improved: bcrypt work factor increased to 12 (previously 10), as per OWASP best practice
  • Improved: Cookie obfuscation

v4.25 Beta Build 30/06/2020 @ 15:33 UTC
  • Fixed: Credentials not revalidated if existing session active, autologin enabled, and login screen accessed

v4.25 Beta Build 14/06/2020 @ 17:48 UTC
  • New: Setting to notify users each time their account is logged into from an unfamiliar device
  • Change: Dropped Math::Random::Secure usage in favor of Crypt::PRNG (Math::Random::Secure hasn't been updated in over 3 years, and depends upon Crypt::Random::Source, which itself relies on Any::Moose, which is deprecated)
  • Fixed: Reflected XSS vulnerability when modifying a booking
  • Fixed: 2 Reflected XSS vulnerabilities when viewing invoices
  • Fixed: Reflected XSS vulnerability when displaying advanced print options
  • Fixed: Reflected XSS vulnerability when printing client's bookings
  • Fixed: Internal Server Error produced if invalid parameters passed when locating similar bookings
  • Fixed: Internal Server Error produced if invalid parameters passed when composing email
  • Fixed: SQLi vulnerability in recent activity log
  • Fixed: Format String Attack / CRLF injection vulnerability when logging in
  • Fixed: Reflected XSS vulnerability in public booking/requesting
  • Fixed: SQLi vulnerability in watch notification settings
  • Fixed: SQLi vulnerability when messaging other users
  • Fixed: SQLi vulnerability in invoicing module
  • Fixed: SQLi vulnerability when processing booking requests

Our Network

mid.as 27/07/2020 @ 10:17 UTC
  • Fixed: Reflected XSS vulnerability in online help documentation

Email 21/07/2020 @ 14:00 UTC

mid.as 20/07/2020 @ 22:50 UTC
  • Updated: DKIM implementation

mid.as 18/07/2020 @ 00:31 UTC
  • Updated: Firewall Rules
  • Updated: SPF Records
  • Improved: Closed unused ports

mid.as 16/07/2020 @ 13:20 UTC
  • Improved: Migrated PayPal payment method to use EWP (Encrypted Website Payments)

mid.as 16/07/2020 @ 00:30 UTC
  • Improved: Added flood control to mailing list subscription confirmation

mid.as 15/07/2020 @ 16:36 UTC
  • Improved: Prevented trial sign ups from disposable email domains

mid.as 15/07/2020 @ 15:45 UTC
  • Improved: Implemented captcha for new affiliate sign ups

blog.mid.as 15/07/2020 @ 11:05 UTC
  • Fixed: CORS vulnerability in blog.mid.as

beta.mid.as 15/07/2020 @ 10:09 UTC
  • Fixed: Reflected XSS vulnerability in language editor

Network Wide 15/07/2020 @ 09:36 UTC
  • Fixed: Same Site Scripting vulnerability

Network Wide 12/07/2020 @ 00:33 UTC
  • Change: Blocked webmail access
  • Improved: Hardening against Slow HTTP attacks

Network Wide 10/07/2020 @ 16:51 UTC
  • New: Implemented Referrer-Policy HTTP header
  • Improved: Strict-Transport-Security HTTP header implementation
  • Improved: X-Frame-Options HTTP header implementation

security.midas.network 10/07/2020 @ 14:04 UTC
  • New: Launched security.midas.network (this website)

mid.as 02/06/2020 @ 10:55 UTC
  • Fixed: XSS vulnerability when signing up for a free trial