Today One Click Orgs announces release of version 1.2.3. For this release the team focused on enhancing security across the platform. A formal vulnerability test was carried out to identify all potential security issues then a series of code changes was implemented to remedy them. The v1.2.3 release includes the following security fixes:
- HTML was not properly escaped in proposal descriptions and comments. This is fixed.
- Users could be redirected to an external site by abusing the URL used for registering a vote. This is fixed.
- Members could set their email to that of an existing member and new members could be added with the same email as an existing member. This is fixed.
- Browsers were permitted to cache login credentials. This is fixed.
- The password reset system allowed a non-member to determine whether or not an email address corresponded to a valid user or not. This is fixed.
- The organisation’s name was not properly escaped for the ‘From’ field of emails. This is fixed.
- Some invalid characters were allowed in members’ email addresses. This is fixed.
- Users could be redirected to an external site by inserting special characters into the organisation’s subdomain. This is fixed
In addition to the security fixes the following enhancements are also included:
- A vote taking place under the ‘veto’ voting system now closes early if
- all members vote in favour.
- Rails is upgraded to version 3.0.10.
- Members can now specify what role they play in the organisation.
- Proposal comments are now displayed in date order.
Particular thanks to Andrew Black and Darren McDonald for contributions, testing and reports for this release.
Source and downloads are available at Github.