Dada Mail v11.16.0 – Important Security Vulnerabilities Fixed, Upgrade Highly Suggested

 
From: "Dada Mail Announcement List" <justin@dadamailproject.com>
Date: September 22nd 2021

v11.16.0 Released

v11.16.0 has been released! This released was pushed out to fix a fairly critical security issue dealing with CSRF. Below is the change log, which we think paints a good picture of what the problem is, and what we did to remediate it.

If you’re a customer/client of ours that we’ve provided an installation for, please get in touch, so that we can talk about getting you upgraded. If you don’t know exactly what coverage you have, we can help you look up your order information. Generally:

  • Customers with Lifetime Upgrade Coverage have all already been upgraded to v11.16.0. If you’re one of the customers, check the versions you’re running, and make sure it’s at least v11.16.0.
  • Yearly Upgrade Coverage customers will want to contact us to get upgraded.
  • One-Time installation and Upgrade customers do have 30-days of complementary upgrades. Please take advantage of that!

Focus

This version of Dada Mail has been released primarily to fix a security vulnerability dealing with Cross-Site Request Forgery (CSRF).

Enhanced Cross-Site Request Forgery (CSRF) Prevention

In theory (and confirmed), a bad actor could give someone a carefully crafted web page via email, SMS, etc, that – when visited, could allow them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password – which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins.

For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party.

Security enhancements added to v11.16.0:

  • CSRF protection to all list control panel screens (including plugins) when logged in

  • Initial CSRF protection on the actual list control panel login form is enabled by default

    This feature was available in Dada Mail, but was not enabled by default

  • CSRF protection for any a user who logs into their profile would be able to do when logged in

  • CSRF protection for the initial profile login form

  • Login cookies for both the list control panel and profiles have the, “SameSite” flag added, and set to, “Lax”

  • Login cookies for both the list control panel and profiles have the, “secure” flag added, and set to, “1”, if the connection is under https

  • Google reCAPTCHA added to the Change List Password, Change Dada Mail Root Password, Profile login, and Profile Registration

    You’ll want to set up Google reCAPTCHA in the included Dada Mail installer.

More Details

Here’s an overview of CSRF:

https://owasp.org/www-community/attacks/csrf

v11.16.0 comes with Cross-Site Request Forgery prevention using the Double Submit Cookie pattern: (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie).

To enhance this, we also “HMAC the token with a secret key known only by the server and place this value in a cookie” (as described in the above doc), and set cookies to have, SameSite set to, Lax (instead of not setting SameSite at all), (https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute),

Additional Suggestions to Help Harden Security

  • Run Dada Mail under https

    Running Dada Mail under https will protect sensitive data from being able to read in transmission.

  • Set up Google reCAPTCHA

    Google reCAPTCHA helps stop automated submission of forms in Dada Mail.

Pro Dada

Learn About and Purchase a Pro Dada Subscription Here

Pro Dada is a special distribution of Dada Mail, that comes with no list/subscription limitations.

Being a Pro Dada Subscriber gives you unlimited access to download Pro Dada distribution, as well as the Pro Dada Manual. This manual is viewable online, as well as available as a downloadable PDF manual for offline viewing (DRM-free).

Being a Pro Dada Subscriber also gives you direct, prioritized support to the developers of Dada Mail through email and Zendesk. With over 19 years of experience helping people getting the most out of Dada Mail, we're here to make sure you're having the best experience when utilizing Dada Mail.

Your Pro Dada install on your own server/hosting account never expires and never becomes remotely disabled, even if your Pro Dada subscription lapses. Re-up your subscription at any time to re-enable access to new versions of the distribution, manual, and to regain our professional support.

Pro Dada comes in two pricing structures: a yearly subscription (for $99.95), and a never-ending subscription (for $199.95). We started our never-ending subscription over ten years ago, and our customers who purchased that ten years ago still have their access!

Still have questions? Email us, and we'll try to point you to the right choice for your organization.

Pro Dada Install/Upgrade Services

Learn About and Request a Pro Dada Install Today

A Pro Dada Subscription is included, so no additional Pro Dada purchase is necessary. A few different options for installation and upgrades are available and start at $74.95 for a one-time installation or upgrade. Install/Upgrades can also come with yearly coverage and start at $174.95 and a new option: lifetime coverage for $299 (introductory price).

We'll upgrade any installation of Dada Mail, no matter who did the initial installation, or how old it is. We can also handle difficult projects, like fixing broken installations, migrating installations to a new platform, etc.

From The Dada Mail Blog:

 

Thanks for Reading!

Justin at Dada Mail,
since 1999

Forward to a Friend
 
  • This mailing list is a public mailing list - anyone may join or leave, at any time.
  • This mailing list is announce-only.

Get updates when new versions of Dada Mail are released, new features are available, and general news about Dada Mail.

Privacy Policy:

This Privacy Policy is for this mailing list, and this mailing list only.

Email addresses collection through this mailing list are used explicitly to email our newsletter subscribers news and announcements about the Dada Mail Project. The Dada Mail Project is run by Simoni Creative. We send an announcement email out to our subscribers every few weeks.

We only collect email addresses through our Closed-Loop Opt-In system.

We don't use your email address for any other purpose.

We won't be sharing your email address with any other entity.

Unsubscription can be done at any time. Please contact us at: justin@dadamailproject.com for any help regarding your subscription, including removal from the mailing list.

All mailing list messages sent from us will include a subscription removal link, which will allow you to remove yourself from this mailing list automatically, and permanently.

All consent to use your email address for any other purpose stated at the time of the mailing list subscription will also be revoked upon mailing list removal.