We have upgraded our installation to ChiliProject 3.1.0. Our congratulations go to the people behind ChiliProject.
In short a cite from their release announce:
ChiliProject 3.1.0 includes some new features and bugfixes for ChiliProject 3.0.0 as well as some critical security fixes. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.
3.1.0 includes 20 bug fixes including one security fix and 5 new features for 3.0.0.
The security fix addresses several the mass assignment vulnerabilities in ChiliProject. These allowed users to write certain pieces of data which they should not have been allowed to. However users could not grant themselves access to data they can’t normally access. It was also not possible for non-admins to grant users additional rights.
All of the vulnerabilities existed since the start of the project, most going back to the beginning of Redmine itself. To further mitigate the issue, we are going to review the controller code and add additional means to prevent mass-assignment vulnerabilities in the future. As these changes require some architectural changes, we will spread them out over the future releases as part of our migration to Rails 3.
More information about the way mass-assignment works in Rails can be found at Michael Hartl’s tech blog.
You can download ChiliProject 3.1.0 here. A full list of changes can be found in the release announce linked above.