Can't find what you are looking for? Try these pages!

Downloads

Contact Us

Products

About

News

Contact Us

Security update for all supported DataFlex versions with WebApp Framework - Action required!

8-21-2024

For supported revisions of DataFlex there are updates available now that address a web application security issue.

This does not affect the usability of applications. However, hackers can potentially exploit the behavior making it a security risk that needs to be addressed.

This issue affects all versions of the DataFlex WebApp Framework (DataFlex Studio and DataFlex web applications running in production) and possibly deployments using the Ajax Library.

Steps to take

The vulnerability is quick to mitigate. It is highly recommended to remove both DebugBuffer.js and DebugBuffer.css files from any DataFlex web applications running in production.

It’s also recommended for developers to upgrade their DataFlex Studio(s). When working with DataFlex Studio versions that are no longer supported, developers and system administrator can safely remove both DebugBuffer.js and DebugBuffer.css files. 

Developers are encouraged to update DataFlex web applications running in production and DataFlex Studio(s) now!

How to remove Debugger JS and CSS files:

When to perform this step:

  1. If you have DataFlex web applications running in production.
  2. If you are working on an older DataFlex version that is not in the current product list, and no updated DataFlex Studio is provided.

How to:

  • Remove the ‘DebugBuffer.js’ and ‘DebugBuffer.css’ files from the DfEngine directory in the AppHtml folder.
  • This will not impact production capabilities, and is safe to perform.
  • It is highly recommended to perform this action as soon as possible, even if the chance of exposure is low. 

How to update DataFlex Studio(s):

When to perform this step: if your DataFlex Studio version is in the list below.

  • With this post we release new versions of the officially supported DataFlex Studio versions, being:
    • DataFlex 24.0
    • DataFlex 23.0
    • DataFlex 20.1
    • DataFlex 19.1
  • To install the new version(s):
    • First uninstall the current DataFlex Studio version.
    • After opening a workspace, a migration of the JavaScript engine shows. If that is not suggested go to Tools -> Update JavaSCript Engine. Click yes.
    • During the update this message shows: “A vulnerable framework component (DebugBuffer.js) has been found, should the studio remove this file?”. The recommended answer is yes.
    • Note that this will remove both JS and CSS files. Those that have actively used this component are able to leave it.

Security reminder

Please note that it is recommended to use recent and supported DataFlex version(s). Especially in web environments security updates are important. Look at the Current Products List for the officially supported DataFlex versions and platforms.

For further discussion, visit the DataFlex Web & Mobile Applications forum

FlexLinks Newsletter

Sign up today to stay informed!

Sign up

Latest from our Blog

Getting Started with Dynamic Web Objects in DataFlex
Manually Uninstalling DataFlex
Structure Padding Helper tool eases migrating your DataFlex applications to 64-bit
© 2024 Data Access Corporation. All rights reserved. | PRIVACY POLICY | COOKIE POLICY