v6.3.0 - Security hardening, with various improvements and bug fixes

A commercial IT consultancy provider uses IXP Manager in one of their solutions. They had their overall solution reviewed by an internationally respected cyber security and risk assessor. This review included IXP Manager and the commercial IT consultancy responsibly disclosed all of the issues and advice related to IXP Manager.

These have been addressed in this release and are itemised below. We recommend all IXPs that use IXP Manager upgrade to this new version.

We thank the IT consultancy, and those within it that we have been dealing with, for sharing the findings with us.

Release Summary

$  git --no-pager diff --shortstat v6.2.0 release-v6
 87 files changed, 3025 insertions(+), 2513 deletions(-)

Upgrade Instructions

The official upgrade instructions can be found here.

This release does include some minor database migrations - please follow the instructions above.

Post-Upgrade Instructions

We use Laravel's mail system and so we need to keep in sync with their defaults. A recent change means that when sending email via SMTP, tls no longer the default. See #752 for a discussion.

If using SMTP, ensure you test emails via the test tool here.

Security

• Remove web.config from public via e9d0819. Not used and was the framework default so not an issue here, just best practice. Came up as an issue in a security audit and we note this has been removed from Laravel for the same reason: laravel/laravel@4bc502b
• Escape specific instance of HTML content to prevent XSS [ref: 055-9-4] via bc9b14c
• Make response to forgotten password generic [ref: 055-9-8] via 04fe7d8
• Implement a stronger password policy [ref: 055-9-7] via 2889be9
• Prevent XSS / JS interpretation in preview boxes [ref: 555-9-9] via 083d17e
• Disable phpinfo() by default [ref: 055-9-11] via 921f515
• Don't allow user with priv = 0 [ref: 055-9-13] (bug fix) via e5a48ab
• Check for patch panels when deleting racks [ref: 055-9-14] via 5ec406e

Improvements

• Peering Matrix - increase look-back days and make configurable which makes the detection better in some cases via 53333e4
• Garbage collection for macaddress table via 724a05c
• Make member display name formatting configurable in .env to assist with #766
• Preserve IXPM functionality from recent OSS_SNMP change via 1b4cbfa re switch serial number via SNMP being not implemented
• Remove final runtime dependency on views.sql via b414ca1
• Modernise PeeringDB and IX-F links and make them configurable via 0ac782d
• Add patch_panel.colo_pp_type - a new database for the colo end of patch panels via 3fd45df
• Link to reseller in member overview. Use more commonly displayed abbreviatedName. Closes #802
• Update robots.txt - LG can also be referenced using /index.php/lg/. Need to exclude this from search engines via 4e17563
• Enable logout on 2fa required page - fixes #806 and prevents user getting 'locked' in 2fa

Bug Fixes

• Fix display of IPv6 addresses in mac-address/list via d37e285
• Fix duplicated entries in mac-address/list route via daee524
• $sp->isTypePeering() -> $sp->typePeering() via 305a79e
• Could not save associate member edits due to int/string comparison via b707e00
• Fix issue with route display in looking glass via 5f7b338
• Fixing vlan id to close #773
• Incorrect ipv6enabled check - noted by @listerr in #778 - and also bugfix via d1278d5
• ipv4_subnet does not display properly - fixes #783
• Core bundles - need user before checking for permissions via 66d1a60
• Escape returned data and error messages on login forms via c623390
• /statistics/member raises error if not auth'd via f9d2f99
• Fix log viewer - do not crash out if user is deleted / not listed on log via 2ab9102