Version 1.4.4 introduces 3 security enhancements to YourSites
The security of your data with YourSites is always at the top of our minds. We are therefore pleased to introduce some security enhancements in YourSites version 1.4.4. These address completely theoretical security risks in versions 1.4.3 and earlier.
In addition to these security enhancements we have added a new documentation article all about how to make your YourSites server/configuration as secure are possible. See Setting up a Secure YourSites Server for more detail.
1. Add time expiring generic tokens for client packages
One of the powerful features of YourSites is the ease by which you can connect a new site to YourSites by installing a generic client package. There is, however, a theoretical downside of this functionality.
If someone got a copy of your general client package they could add additional sites to your YourSites server and, in theory, overload your YourSites server. These additional connected sites could also be used, potentially, for phishing attempts etc.- for example the malicuous client site title and URL could be similar to one you already manage and you could be tricked into attempting to login to the mimicking site and give away important login credentials when doing this.
Version 1.4.4 counters this risk by setting a time limit on the access token set in each generic client package download. By default the client package can only be used for 20 minutes from the time its downloaded and each time a new package is downloaded any old ones are automatically invalidated. You can change this setting in the YourSites config.
We hope that this change won't cause you any problems but felt that restricting the use of downloaded client packages was an important security enahancement.
2. Block theoretical XSS exploit following installing the client package on a hacked website.
If you one install the YourSites client on a website that has already been hacked there is a theoretical possibility that the responses to the YourSites server during the initial site connection could be compromised. Prior to version 1.4.4 there was a possibility that such a compromised client site could manipulate the data displayed within your YourSites server and initiate a XSS attempt.
Version 1.4.4 eliminates this theoretical possibility.
3. Immediately remove temporary copy of client package file once its been created.
The process of creating and downloading a client package (general or site specific) creates a temporary file on your YourSites server. Prior to version 1.4.4 this was deleted as soon as you updated your 'sites list' view. There was therefore a theoretical window of time where this file could be downloaded.
In version 1.4.4 this file is deleted the instant it is created.