TeamPage 6.2.65 includes an important security fix to close a path which could be leveraged by an attacker. We recommend all customers update to this new version as soon as possible. Traction Software's TeamPage Cloud servers have been updated. The release also includes some other bug fixes and improvements. Please read on for the full list of changes.
• Fixed a bug involving failure to sanitize a request parameter. This could, in limited circumstances, be leveraged by an attacker to create a URL that would cause JavaScript of their choice to be run by the user's browser. (Server100067)
External Directory Service Integration
• Fixed a rare bug that could prevent TeamPage from working properly in certain cases when a reference was included in a TeamPage group to a security principal defined in Microsoft ActiveDirectory, but using an incomplete or otherwise incomplete version of the principal's GUID string. This type of invalid security principal is now handled gracefully. (Administrators should still try to fix invalid references to externally defined security principals, either by replacing them with the correct intended reference, or by removing them completely, as may be applicable.) (Server100151)
• Fixed some problems with TeamPage's support for plain LDAP external user directory service integration that prevented users from logging in. (Server100152)
General
• Fixed a bug that caused a series of confirmation dialogs to get stuck in a loop when TeamPage identified a file: URL had been used as the source of an image in the rich text editor. TeamPage now skips that warning altogether, but users can clearly see that if they try include an image from a file: URL, it will appear as broken in the editor. Users who end up with a file: URL reference in an image -- most likely as the result of pasting an image in certain browsers -- should instead drag and drop the desired image (or otherwise upload it using the insert image dialog or the attachment upload control) instead of trying to correctly attach the local file to the entry. (Server100114)
• Fixed a bug that could prevent a user from commenting on an entry that was in the draft state, even if they had the permissions required to do so. (Server100127)
Improvements
HTTP Server
• Added support for the "Strict-Transport-Security" HTTP response header for TeamPage servers that use TLS (HTTPS). Administrators must opt into this feature by selecting "yes" for the "Send Strict-Transport-Security HTTP Response Header" setting under server settings > Network > Features / Tuning. Administrators can also choose the desired age associated with this header via the "Strict-Transport-Security Maximum" setting. (Server100096)
• Made the "Server" HTTP response header optional. By default, this response header will no longer be sent. To have TeamPage send it, administrators can choose "yes" for the 'Send "Server" HTTP Response Header' setting under server settings > Network > Features / Tuning. (Server100109)
• TeamPage no longer sends the "MIME-version" HTTP response header. (Server100108)
