$Id: ReleaseNotes,v 1.14 2007/05/31 14:49:09 bhockney Exp $ Release notes for Webfwlog Version 0.93 2007-05-31 - SECURITY ADVISORY - Webfwlog versions 0.91 and 0.92 contained a vulnerablility that potentially could be used to view the content of files on the web server. CVE-2007-585. It is recommended that all users of webfwlog 0.91 and 0.92 upgrade to the latest version. - The release notes below for previous releases may still apply if upgrading. Version 0.92 2006-03-04 - It is now possible to add an abritrary column definition when data is logged to a database. This requires that the allow_raw_sql parameter in webfwlog.conf be set (this was previously called allow_additional_where). There are security consideration to allowing this. See the security advisory below. Version 0.91 2005-04-21 - SECURITY ADVISORY All webfwlog versions before 0.91 by default allowed the user to add raw SQL to the WHERE and HAVING clause of the queries sent to the database server. In older versions of webfwlog this was the only way to select packets based on some fields, and embedded quoted strings are difficult to escape, so the entire user provided input was sent as-is. All logged fields now have specific selectors so in most cases it is not necessary to add raw SQL to a query, and everything entered by the user is properly validated and escaped. Accordingly, the ability to add raw SQL is now disabled by default, and must be explicitly enabled in the webfwlog.conf file. However, saved reports from older versions of webfwlog that made use of this feature (e.g., to specify multiple ports in webfwlog versions < 0.87) will need to me modified using the report editor. In particular, some of the sample reports included in the webfwlog distribution for version < 0.87 used this feature and these reports and any reports based on them will need to be modified. The affected reports are tcpports, tcpsyn, and recent_active. In order to modify these reports it will be necessary to temporarily enable the allow_additional_where parameter in the webfwlog. After saving the modified reports the allow_additional_where parameter should be disabled. Even if present in a saved report, the additional_where and additional_having fields are ignored if allow_additional_where is disabled (default). It is recommended that all users of webfwlog < 0.91 upgrade to the latest version. - The file name for the home page has been changed from webfwlog.php to index.php. Depending upon your web server, you may now only need to point your browser to the directory webfwlog in order to start the program. However, this change also breaks any links you may have to webfwlog.php and you should update them accordingly. - Cookies are now explicitly required to be enabled in order to use webfwlog. Cookies are used by webfwlog to propagate the PHP session ID, and the drill-down function does not work properly without this. Webfwlog uses session cookies only, not persistent cookies. Version 0.90 2004-11-11 - The webfwlog.conf file has been updated and has some new parameters. Please review if you are upgrading from a previous version of webfwlog. If you are upgrading to 0.9x from 0.8x you will need to add two parameters to your config file in order to use the syslog parser: wfwl_syslog=/path/to/wfwl_syslog executable syslog_dir=/path/to/logfiles