General Information
On 18th of December the following was released: :
- ISL Conference Proxy 4.1.0 for Windows 32bit (Platform=win32, Revision=38200, release_date=2014-11-21, os_version=0x5020000-0x7fffffff)
- ISL Conference Proxy 4.1.0 for Windows 64bit (Platform=win64, Revision=38200, release_date=2014-11-21, os_version=0x5020000-0x7fffffff)
- ISL Conference Proxy 4.1.0 for Linux 32bit (Platform=linux, Revision=38200, release_date=2014-11-21)
- ISL Conference Proxy 4.1.0 for Linux 64bit (Platform=linux64, Revision=38200, release_date=2014-11-21)
- ISL Conference Proxy 4.1.0 for Windows 32bit (Platform=win32, Revision=38345, release_date=2014-11-21, os_version=0x5020000-0x7fffffff)
- ISL Conference Proxy 4.1.0 for Windows 64bit (Platform=win64, Revision=38345, release_date=2014-11-21, os_version=0x5020000-0x7fffffff)
ISL Conference Proxy 4.1.0 with revision 38200 for Windows was replaced with ISL Conferernce Proxy 4.1.0 with revision 38345 for Windows due to:
ISL Conference Proxy - Core - Error when trying to create a user during ICP upgrade to 4.1.0 (DEFECT) [ISLCONFPROXY-589] More
DescriptionUsers may have experienced inability to upgrade from ISL Conference Proxy 4.0.5 to 4.1.0 or install ISL Conference Proxy 4.1.0 for the first time on non-English Windows operating systems. During installation the following error was shown : Failed to create user account "islcp". During installation ISL Conference Proxy tried to create user islcp under Performance Monitors Users group. This group name is translated on non-English Windows systems and causes failure at creation of the user. When adding user, ISL Conference Proxy no longer checks the name of the group instead it adds user to group based on group id ( which does not change on non-English Windows ).
The defect was fixed.
Modules
- ISL Light 4.1.0 (release_date=2014-11-21, revision=38213)
- ISL Groop 4.1.0 (release_date=2014-11-21, revision=38271)
- *ISL Pronto 2.2.2 (release_date=2014-07-23, revision=38307)
- Reports 4.1.0 (release_date=2014-11-21, revision=38284)
- PostgreSQL 4.1.0 (release_date=2014-11-21, revision=38167)
- ISL AlwaysOn 4.1.0 (release_date=2014-11-21, revision=38338)
ISL Pronto module is compatible with ISL Conference Proxy 4.0 and ISL Conference Proxy 4.1 and still uses old versioning as was released from ISL Conference Proxy 4.0 branch.
Translations
- isl_alwayson_20141121_20141219_085623.translation
- isl_conference_proxy_20141121_20141219_085623translation
- isl_groop_20141121_20141219_085623.translation
- isl_light_20141121_20141219_085623.translation
- isl_pronto_20141121_20141219_085623.translation
Update availability
All updates have release date set to 2014-11-21. Your ESS will need to be same or higher to be able to update your server. This release is available to all countries except Japan.
Upgrading to new version
This are server side updates so hosted service users do not need to do anything.
Server license users please check Upgrading Server License
Important: ISL Conference Proxy release 4.1.0 brings new feature "Drop root privileges". Upgrade of old version will add user islcp to the system change permissions of files in the ISL Conference Proxy folder. We detected that change of permissions on Windows can take long time on large number of files/objects (multimple hours for big ICP installations ~30GB). We recommend that you try upgrading first on test server with production database (copy production ISL Conference Proxy folder to new machine and run new ISL Conference Proxy 4.1.0 installer).
Improvements
ISL Conference Proxy
ISL Conference Proxy - Core - Drop root privileges after bind (FEATURE) [ISLCONFPROXY-444] More
DescriptionWith previous versions all ISL Conference Proxy processes were running as root ( administrator ). ISL Conference Proxy version 4.1 only needs root permissions to bind ports (confproxy_service), after that ISL Conference Proxy will run in unprivileged mode (confproxy_server). When ISL Conference Proxy 4.1 is installed it will also add a new user ( islcp ) under which the confproxy_server is running.
Root permission are still needed when installing ISL Conference Proxy for the first time.
ISL Conference Proxy - Core - add stdoutrunas for windows (FEATURE) [ISLCONFPROXY-452] More
DescriptionStdoutrunas.exe utility was added to ISL Conference Proxy, which enables executing external processes in low privileged accounts.
ISL Conference Proxy - Core - use hsrv as hint where to execute webapi2 call (FEATURE) [ISLCONFPROXY-453] More
DescriptionWith certain webapi2 calls the response of the call will return also hsrv parameter. Hsrv parameter tell you the optimal server on which to execute the following webapi2 calls which increases the execution performance.
ISL Conference Proxy - Core - server2server load balancing support (FEATURE) [ISLCONFPROXY-454] More
DescriptionWhen a webcall came to a server and the server could not handle it, the request was then passed to a random server which was able to handle the request. Functionality for selecting server to execute the task was redesigned, instead of random server, it now searches for the nearest server available.
ISL Conference Proxy - Core - implement password encryption/hashing for all settings and user accounts (FEATURE) [ISLCONFPROXY-465] More
DescriptionPasswords on ISL Conference Proxy were stored as plain text. With ISL Conference Proxy 4.1 new account and password resets use islhash1 scheme for encrpytion/hashing of passwords. User accounts and settings are no longer stored in plain text. Account created before updating to ISL Conference Proxy 4.1 will be still stored as plain text, password change is needed for all old account.
New settings were added to ISL Conference Proxy which are located on /conf page under Configuration -> Security:
- System hashed password scheme:
- System reversible password scheme:
- Login password scheme:
- islhash1 salt size:
- islhash1 rounds:
Users can choose between the following password schemes:
islhash1 - uses the following algorithm for encrypting password:
rounds = 10000
salt = random_bytes(16)
output = rounds + ':' + base64(salt) + ':' + base64(PKCS5_PBKDF2_HMAC(password, salt, rounds, sha512))
verify = unbase64(output[2]) == PKCS5_PBKDF2_HMAC(password, unbase64(output[1]), output[0], sha512)
islstatic1:
Internal reversible password scheme - LESS SECURE
plaintext:
Passwords are stored in plain text.
LSE Leading Security Experts GmbH opened a CVE-2014-7161 which is resolved with this feature being implemented.
ISL Conference Proxy - Core - remove CSRF in /users (FEATURE) [ISLCONFPROXY-468] More
DescriptionProtection against CSRF was added to ISL Conference Proxy /users web pages.
LSE Leading Security Experts GmbH opened a CVE-2014-7162 which is resolved with this feature being implemented.
ISL Conference Proxy - Core - start using post_token as CSRF protection in /conf (FEATURE) [ISLCONFPROXY-484] More
DescriptionProtection against CSRF was added to /conf webpages using Synchronizer token pattern implementation.
ISL Conference Proxy - Core - Add webapi2 call /utils/usage (FEATURE) [ISLCONFPROXY-495] More
DescriptionNew webapi2 calls were added to ISL Conference Proxy.
Webapi2 call utils/usage/1 will return list of licenses used along with session data and id.
Webapi2 call utils/usage/terminate/1 will terminate session specified with id.
ISL Conference Proxy - Core - adjust tagged program release latest algorithm (FEATURE) [ISLCONFPROXY-505] More
DescriptionWith version ISL Conference Proxy 4.0 online update did not correctly remove obsolete programs. Install latest programs algorithm did not correctly handle tagged programs. The algorithm was redesigned and it now correctly removes all obsolete programs from ISL Conference Proxy after performing online update with install latest option.
ISL Conference Proxy - Core - Add signatures to /updates/index.xml and software_policy.xml (FEATURE) [ISLCONFPROXY-506] More
DescriptionOnline update did not check validity of index.xml and software_policy.xml being used to determine which updates are available. Attacker could inject custom index.xml and software_policy.xml being downloaded from http://www.islonline.com/system/updates or stored locally on hard drive when using Manual update procedure and trick ISL Conference Proxy to download third party files. ISL Conference Proxy would reject this files once they would be downloaded as all update files in Online update process are signed. Feature implemented now protects against manipulating index.xml and software_policy.xml. All updates are now digitally signed, preventing the possibility to change or list of updates.
New settings are available for users who would like to disable update signature checking. Settings are located on ISL Conference Proxy Administration (http://localhost:7615/conf) -> Configuration -> Security section:
- Require signature for Online update - Signature is checked when performing Online update
- Require signature for Manual update - Signature is checked when performing Manual update
LSE Leading Security Experts GmbH opened a CVE-2014-7164 which is resolved with this feature being implemented. A note here is that LSE Leading Security Experts GmbH did not provide proof of concept for the exploit. We did review the process and found one weak point, we fixed the possible error, but the description of problem is not accurate as it is not possible to modify any of the files being deployed to ISL Conference Proxy so that you could trick ISL Conference Proxy to use them.
ISL Conference Proxy - Core - Http event sender reports unnecessary errors (most likely) (DEFECT) [ISLCONFPROXY-207] More
DescriptionUsers who have HTTP events sending enabled may have seen HTTP event error in log file - HTTP events: error occured when trying to send event: :Error in isl-httpeventsender.cpp:249:send_event. This happened when queue for sending HTTP events was empty. HTTP event sending functionality was redesigned, in case the queue is empty the error in log will no longer be produced.
The defect was fixed.
ISL Conference Proxy - Core - code review html page escaping to prevent XSS (DEFECT) [ISLCONFPROXY-460] More
DescriptionOn ISL Conference Proxy web pages XSS HTML injections were possible due to HTML content not being escaped correctly. All HTML content is now correctly escaped, XSS HTML injections should no longer be possible.
The defect was fixed.
ISL Conference Proxy - Core - Cannot be started if moved to 64-bit server and using PostgreSQL 32-bit (DEFECT) [ISLCONFPROXY-475] More
DescriptionUsers who migrated ISL Conference Proxy with PostgreSQL database back-end from 32-bit operating system to 64-bit operating system could not start ISL Conference Proxy due to PostgreSQL module load failure. Users will now have to upgrade ISL Conference Proxy on 32-bit operating system to version 4.1 and then move it to 64-bit operating system.
The defect was fixed.
ISL Conference Proxy - Core - Disable SMTP user and password when normal connection is selected (DEFECT) [ISLCONFPROXY-483] More
DescriptionUnder basic configuration of ISL Conference Proxy users were able to select SMTP connection type as normal and input SMTP User and password. This option is not supported as you cannot send username or password on unencrypted connection. The GUI design flaw was resolved, users cannot enter username and password for SMTP connection when normal connection type is selected.
The defect was fixed.
ISL Conference Proxy - Core - crash in load_balancer on startup (another one) (DEFECT) [ISLCONFPROXY-494] More
DescriptionISL Conference Proxy crashed on startup if load balancer tried to obtain load balancer servers from cache and there were none available. Obtaining servers from cache procedure was redesigned and should no longer cause crash of ISL Conference Proxy.
The defect was fixed.
ISL Conference Proxy - Core - reliable line logging security issue (DEFECT) [ISLCONFPROXY-504] More
DescriptionISL Conference Proxy did not correctly escape text when writing log file thus injection to log file was possible. Writing log file functionality was redesigned, all control characters are now correctly escaped, preventing log injection.
The defect was fixed.
ISL Conference Proxy - Core - md5 hash is weak in index.xml, use sha512 [ISLCONFPROXY-543] More
DescriptionEach file on online update repository includes md5 hash value which was checked when performing online update. Due to md5 vulnerabilities sha512 hash values were added to each file in repository. ISL Conference Proxy version 4.1 will check each file with sha512 hash value, older version of ISL Conference Proxy will still use md5 hash values.
The defect was fixed.
ISL Conference Proxy - Core - crash when shutting down direct tables [ISLCONFPROXY-547] More
DescriptionWhen ISL Conference Proxy is shutting down it will also stop internal PostgreSQL database, however periodical task grid sync remained active and caused ISL Conference Proxy to crash. Periodical tasks are now stopped after stopping PostgreSQL database.
The defect was fixed.
ISL Conference Proxy - Core - fix plaintext setting_adminpwd on linux (DEFECT)[ISLCONFPROXY-549] More
DescriptionIf users started ISL Conference Proxy using headless mode a file called setting_adminpwd was created and the content was plain text password for administration. Headless mode was redesigned, when setting_adminpwd file is created it also encrypts the file content (password).
The defect was fixed.
ISL Conference Proxy - Core - libpng 1.6.15 [ISLCONFPROXY-552] More
DescriptionISL Conference Proxy external library libpng was updated to version 1.6.15.
The defect was fixed.
ISL Conference Proxy - Core - cookie escaping [ISLCONFPROXY-554] More
DescriptionISL Conference Proxy did not correctly escape cookie content thus injection was possible. Cookie content is now correctly escaped preventing injection possibilities.
The defect was fixed.
ISL Conference Proxy - Core - Improve filters implementation for webapi2 access (DEFECT) [ISLCONFPROXY-566] More
DescriptionUsers who used Filters that define access to webapi2 setting located on ISL Conference proxy /conf page under Configuration -> Security were unable to filter access for users. If setting did not include version of webapi2 call filtering did not work. Filtering algorithm was redesigned, users do not need to specify call version in order to block it.
Example to block usage of utils/login webapi2 call:
[ip any]
filter deny_method utils/login;
The defect was fixed.
PostgreSQL
ISL Conference Proxy - Module PostgreSQL - update to 9.3.5-3 (FEATURE) [ISLCONFPROXY-525] More
DescriptionISL Conference Proxy PostgresSQL database backend was upgraded to version 9.3.5-3.
ISL Conference Proxy - Module PostgreSQL - change absolute paths into relative if possible (DEFECT) [ISLCONFPROXY-451] More
DescriptionPostgreSQL used absolute paths for used directories which could cause issues when moving ISL Conference Proxy. At startup PostgreSQL will try to change all directory absolute paths into relative paths ( postgresql_bin, postgresql_data ) to ease migration process of ISL Conference Proxy.
The defect was fixed.
ISL Conference Proxy - Module PostgreSQL - limit shared buffers (at least on 32-bit) (DEFECT) [ISLCONFPROXY-532] More
DescriptionISL Conference Proxy back-end database PostgreSQL was unable to allocate enough memory needed to start the database on Windows 32-bit operating system and caused ISL Conference Proxy to a restart loop. PostgreSQL is now limited to 512 MB memory allocation and should no longer cause ISL Conference Proxy to go to restart loop.
The defect was fixed.
Reports
ISL Conference Proxy - Reports - Live chat session list does not show custom fields (FEATURE) [ISLCONFPROXY-491] More
DescriptionSupport for displaying custom fields for live chat was added to sessions list in Live chat reports.
Reports - Light - Add support for showing session name , client's email and notes (FEATURE) [ISLCONFPROXY-511] More
DescriptionNew fields were added to Remote Support reports. Added fields now show session name, client's email and Notes for the session.
ISL Conference Proxy - Reports - add xpp call to check if module is available (FEATURE) [ISLCONFPROXY-586] More
DescriptionAdded support for checking if module is available on any of the servers.
Example:
if|{{reports_module_available|module|...html for module...}}
ISL Conference Proxy - Reports - Broken layout if there are no chats to be shown (DEFECT) [ISLCONFPROXY-455] More
DescriptionIf user had not chats to be shown, opening Live chat reports resulted in Overview dropdown menu overlapping with status text. Overview dropdown menu was moved, elements are no longer overlapping.
The defect was fixed.
ISL Conference Proxy - Reports - HTML escape JS injected content (DEFECT) [ISLCONFPROXY-466] More
DescriptionIn Reports module XSS HTML injections were possible due to HTML content not being escaped correctly. All HTML content is now correctly escaped, XSS HTML injections should no longer be possible.
The defect was fixed.
ISL Conference Proxy - Reports - Missed chat broken on IE 8 (DEFECT) [ISLCONFPROXY-479] More
DescriptionUsers using Internet explorer 8 were unable to view missed chat due to Javascript error. The error was fixed, missed chats are now correctly shown on Internet explorer 8.
The defect was fixed.
ISL Conference Proxy - Reports - Spaces in custom field names are not shown properly (DEFECT) [ISLCONFPROXY-491] More
DescriptionOpening chat transcript of a desired chat ( which has custom fields set ) resulted in spaces being shown as + signs in visitor custom fields section. Displaying custom field in chat transcript was redesigned, spaces are now correctly displayed.
The defect was fixed.
ISL Conference Proxy - Reports - Code review html page escaping to prevent XSS (DEFECT) [ISLCONFPROXY-509] More
DescriptionIn reports web pages XSS HTML injections were possible due to HTML content not being escaped correctly. All HTML content is now correctly escaped, XSS HTML injections should no longer be possible.
The defect was fixed.
ISL Conference Proxy - Reports Module - Chat transcript is broken if HTML/JS injection is put in custom fields [ISLCONFPROXY-511] More
Description
ISL Conference Proxy - Reports - Live chat - Chat transcript client field is too far to the right (DEFECT) [ISLCONFPROXY-511] More
DescriptionClients text in chat transcript of a live chat was moved to far to the right, which could cause overlapping of elements. Displaying client text was redesigned and should no longer cause overlapping of elements.
The defect was fixed.
ISL Conference Proxy - Reports - Live chat - Corrupted chat transcript layout (DEFECT) [ISLCONFPROXY-570] More
DescriptionUsers may have experienced corrupted chat transcript layout if only operator was present in the chat. Chat transcript was redesigned if only operator was in chat and should be shown correctly.
The defect was fixed.
ISL Conference Proxy - Reports - Live chat button in reports is shown even when ISL Pronto module is missing (DEFECT) [ISLCONFPROXY-582] More
DescriptionWeb interface of Reports showed icon for reports of Live chat or Remote support even if those modules were not available on server. Showing icons was redesigned, icons for reports are only shown if module is available.
The defect was fixed.
ISL Groop
ISL Groop - Module - code review html page escaping to prevent XSS (DEFECT) [ISLGROOP-492] More
DescriptionOn ISL Groop module web pages XSS HTML injections were possible due to HTML content not being escaped correctly. All HTML content is now correctly escaped, XSS HTML injections should no longer be possible.
The defect was fixed.
ISL Groop - Module - Registration and Survey editor - Pressing Enter on elements will trigger POST (DEFECT) [ISLGROOP-499] More
DescriptionUsers who opened survey or registration editor, dragged Text box or Title and text element into the editor and pressed enter on input field triggered POST action of the form. Editor was redesigned, pressing enter on inputs of survey or registration elements will not longer trigger POST action.
The defect was fixed.
ISL Groop - Module - Registration and survey editor - entering incorrect image URL will break this element layout (DEFECT) [ISLGROOP-500] More
DescriptionIf users opened registration or survey editor and enter img element with incorrect link to image then the element's layout got broken. Element is now defined with minimal height and incorrect link to image will no longer break layout.
The defect was fixed.
ISL Groop - Module - Registration and survey editor - entering incorrect image URL will break this element layout (DEFECT) [ISLGROOP-500] More
DescriptionIf users opened registration or survey editor and enter img element with incorrect link to image then the element's layout got broken. Element is now defined with minimal height and incorrect link to image will no longer break layout.
The defect was fixed.
ISL Groop - Module - Invitation mail cannot be style when IE 8 is used (DEFECT) [ISLGROOP-515] More
DescriptionInvitation email styling (WYSIWYG editor) was disabled on Internet Explorer 8 due to browser incompatibility.
The defect was fixed.
ISL Groop - Module - Registered users - If users were registered when v1 interface was used, registered users webpage will fail due to js error (DEFECT) [ISLGROOP-515] More
DescriptionIf users created a meeting using version 1 of web interface and had registered users on that meeting then viewing this registered users using version 2 of web interface caused Javascript error and registered users were not displayed. The issue was in data mismatch between web interface version 1 and 2. Displaying registered users was redesigned, users are now shown correctly even if the meeting was created using version 1 of web interface.
The defect was fixed.
ISL Groop - Module - Untranslated strings (DEFECT) [ISLGROOP-529] More
DescriptionUsers may have found some text not being translated on web interface of ISL Groop. Missing text translations should now be correctly translated.
The defect was fixed.
ISL Groop - Module - Incorrect time shown on the edit meeting page (DEFECT) [ISLGROOP-538] More
DescriptionUsers may have experienced incorrect date being shown in edit meeting. Date picker in edit meeting added an extra month to start time of the meeting. Date picker functionality was redesigned, it now shows the correct start date of the meeting when editing it.
The defect was fixed.
ISL Light
ISL Light - Module - New session information fields (name, email, notes) (FEATURE) [ISLLIGHT-1826] More
DescriptionISL Light web interface includes new session information section. The section contains information such as name of the session, client's email and notes that were added to the session by supporter. Users can edit the session info either from ISL Light 4 or from web interface. To edit session from web interface users have to click on Action -> Edit.
ISL Light - Module - Export desk and client information in reports (FEATURE) [ISLLIGHT-1960] More
DescriptionSupport for exporting session information ( session name, client's email and notes ) was added to ISL Light module.
ISL Light - Module - Redesign Web UI to look similar to Light 4 UI (FEATURE) [ISLLIGHT-1960] More
DescriptionISL Light web interfaces was redesigned to look similar to ISL Light 4 dashboard.
ISL Light - Module - Code review html page escaping to prevent XSS (DEFECT) [ISLLIGHT-1880] More
DescriptionSome HTML pages of ISL Light module did not correctly escape HTML content thus XSS HTML injection was possible. All HTML pages are now correctly escaped eliminating the option for XSS HTML injection.
The defect was fixed.
ISL Pronto
ISL Pronto - Module - Add dynamic custom fields to reports (FEATURE) [ISLPRONTO-314] More
DescriptionNew settings were added to ISL Pronto configuration for setting which fields are offered in reports. Administrator needs to set this before users can view custom fields in reports.
New settings were added to ISL Conference Proxy which are located on /conf page under Configuration -> Configuration -> ISL Pronto:
- Reports custom field list (example: field1)
- Reports custom field titles f1=Title1&f2_<lang>=Title2 (example: field1=Field)
ISL Pronto - Module - crash in webapi2 call islpronto/domain/filter/get/single/1 with no DT support (CRASH) [ISLPRONTO-323] More
DescriptionISL Pronto module crashed if server had old VFS backend instead of direct tables and user called webapi2 call islpronto/domain/filter/get/single/1.
The defect was fixed.
ISL AlwaysOn
ISL AlwaysOn - Module - Use new file override framework (FEATURE) [ISLALWAYSON-577] More
DescriptionRemoved custom implementation of overrides for user pages in ISL AlwaysOn module. Previous version of the module supported separate overriding functionality of user pages, the new module supports only the standard override method which is also used by other modules.
Example of new implementation usage:
objects/web_content_[_subtemplate_SUBTEMPLATE_]FILEBASE_VERSION.FILEENDING (objects/web_content_usersxyzbubu_1.html)
ISL AlwaysOn - Module - CSRF review (FEATURE) [ISLALWAYSON-580] More
DescriptionProtection against CSRF was added to ISL AlwaysOn module.
ISL AlwaysOn - Module - Join link does not work (DEFECT) [ISLALWAYSON-605] More
DescriptionUsers who received e-mail invitation for allowing remote user to access your computer and followed the invitation link could not open the page after confirming invitation on webpage. The redirect did incorrectly escape the web address thus page could not be opened. Link redirection was redesigned, the page should now open correctly.
The defect was fixed.