JAS 1.1 has been released
JAS 1.1 is now available for download, here are the highlights:
- Redis memory cache, Memcached PHP extension, PostgreSQL support
- Less reliant on Apache, i.e. Nginx support
- CSRF protection
- Faster (initial load is about twice as fast)
Note that the upgrade process from 1.0 to 1.1 is unfortunately not seamless. Check the documentation on how to upgrade!
Thanks all for the hard work!
JAS 1.1 Release Candidate
After 2 months of hard work we're closing in on JAS 1.1 and we celebrate this with JAS 1.1 RC1!
Here's a quick overview of all the changes:
- Pager plugin supports meta descriptions and keywords and link relations.
- Added Redis memory cache support, fixed Memcached PHP extension support
- Added PostgreSQL support
- Added CSRF protection
- Added advanced filter supports, check out the documentation
- Added some user feature
- Configuration is now cached so it loads a lot faster
- Pretty URLs have been reworked, see the webserver installation for more info
- Date convert can deal with non-English month names
- Various backend improvements
- And more...
Happy hunting!
JAS 1.0 goes public!
After many years of hard work JAS has finally been released to the world! JAS is a free web application platform which makes the life of your developers and application managers easier. It's an open source Content Management Framework that allows you to quickly create elaborate web-applications. Due to its consistent data approach you don't have to worry about how your data is managed and instead you can focus on how your applications actually work.
JAS relies solely on open source technology that is freely available and therefore the whole solution can be rolled out for free. Installing it is simply a matter of downloading the release, unpacking it in the web directory and setting up the password, which can be done in 30 seconds flat. To give you an idea about what JAS is, this website runs on JAS and this is how the backend looks. For more in-depth information please refer to the introduction or check out the full documentation.
Many thanks to everybody that has contributed to JAS over the years!
JAS 1.0 Release Candidate 3
OK, we have been pretty busy over here so we had to delay the 1.0 release. On the upside we've done some extensive testing and decided to do one more release candidate before the final release. This one includes some security fixes, a small change and some other fixes. Next up, the final 1.0 release!
Security audit
So one of the things we wanted to do during the Release Candidate testing was a security audit. We've assessed a number of tools out there (OpenVAS, Nikto and w3af) and we settled on w3af. It allowed us to easily scan JAS for a vast amount of known security issues and gives a good indication of what issues there are and pointers to how to resolve them.
Now since JAS itself is just a framework there's not a lot to audit using a web security scanner. What can however be scanned are website implemented using JAS. So first up was a "full audit" (CSRF, SQLi, XSS, brute force, click jacking, etc.) on this website to see whether it would hold up. The only thing that came out of this was that it was susceptible to click jacking and a number of trivial things around the underlying infrastructure (i.e. the web-server), which is not surprising as it was a stock Apache installation without any security hardening. Other than that no significant security issues were found.
Round 2, let's knock on the door of the JAS backend and see whether we may enter. As the JAS backend requires reasonably strict passwords the standard brute force didn't have any effect. More over since the backend doesn't show anything other than a login box to anonymous users there wasn't anything to break. So as long as you're not leaving your credentials lying around there doesn't seem to be a way into the backend.
Ok so what if you are logged in to the backend and someone tricks you? By far the most elaborate scan we did was the JAS backend with the root user logged in. Like on the website it found it was susceptible to click jacking but it also had 2 XSS issues. The latter is rather serious as that could potentially be used to hijack someones session, effectively getting direct access to the backend. Obviously these issues were resolved and rerunning the full audit showed that both the backend and this website were now almost free of issues.
The only serious issue left is Cross-Site Request Forgery (CSRF) which could allow an attacker to submit content to the JAS backend. That said this would only be possible if you're logged into the JAS backend and you click on a forged link on another tab that was especially crafted for your website. Since fixing this issue would affect almost every form in JAS it was decided to push the fix to JAS 1.1.
JAS 1.0 Release Candidate 2
Many thanks to my loyal test team for breaking RC1, here's RC2! It includes around 40 fixes for a variety of things however it also includes a few changes that we just had to sneak in:
- array field type can now be used let SQL check a list of values
- going to project/ will now open the project frontend (rather that then old project/jas/project/ url)
- search.js is now a core script and the wysiwyg.js uses css for its styling
Happy hunting!
Next release thoughts
RC1 testing is well underway and it seems there aren't too many bugs so the final release is not going to be long. So this would be a nice time to have a look at the next release, here are a couple of things you can expected.
- Reference text fields support
Wouldn't it be nice if you could just type the first few characters of a reference and it would automatically link it instead of having to look through a dropdown list? And if you typed something that doesn't exist that it is automatically added? Inspired by the blog tags this feature will be available for all references. - Configurable users module
The currently user module is pretty basic which and although it does what it says on the tin you might need some more flexbility. Think of email validation, preset language and timezone, IP restrictions, brute force protections, etc. - JAS Daemon
Schedulars are very nice and all but they just don't cut it for realtime processing of information. The JAS daemon will continuously monitor a variety of services (think HTTP, FTP, POP, file systems, etc) and get busy if action is required. Additionally it will have a build-in schedular so it can poll things like RSS feeds. - JSON & RSS APIs
Of course JAS also needs a JSON API, we just didn't get around to building it. Additionally being able to monitor comment posts on your website via RSS would be nice right? - Workflow
JAS already supports basic workflows for modules but anyone that can edit the module data can change its workflow state. The idea is to have events in the module that get triggered on a state change which can apply additional logic to determine whether the state change is allowed. - Encryption / Decryption
Currently JAS only supports password hashing, the next release will have encrypt/decrypt for a number of the typical ciphers. This would for example enable PGP file signatures.
Have a look at the other changes that are lined up for 1.1.
JAS 1.0 Release Candidate
After a lot of rework, fixes and a complete rewrite of the backend,
JAS 1.0 RC1 is finally here. There are a vast amount of changes since the previous release, so some rigorous testing will need to be done to ensure it's stable enough for a final 1.0 release. This will be done over the coming weeks after which the final release will be posted here.
On a pleasant side note, we also managed to squeeze in the changes for PHP 7. Although the changes touched pretty much every part of JAS, the impact was quite limited. Long story short, running JAS on PHP 7 should be a walk in the park, that is, assuming no fundamental changes will be done to PHP 7 after RC6.
