[DBTech] DragonByte Security 4.7.0

Update highlights

This version fixes a few bugs reported by the community.


Complete Change Log

Fix: "The following sub-option(s) are unknown: includeWebGL" when saving settings
Fix: Fix regression from 4.3.3 affecting fingerprints

Update highlights

This version fixes a few bugs related to the "account lock" feature reported by the community.


Complete Change Log

Fix: Corrected the log phrase for locked accounts (not retroactive)
Fix: Ensure the "resend" and "unlock" actions are also excluded from force redirects
Fix: Ensure all redirects use the public route (prevents race condition where admin accounts are redirected)

Update highlights

This version updates the "Account locked" function to log its state changes in the user change log, similar to other flags in the core XenForo product.

It also resolves a potential server error on install, if the API that fetches the country list is inaccessible.


Complete Change Log

Feature: Log "account locked" status in the User Change Log
Fix: Fix a potential server during install

Update highlights

This version is a quick maintenance update to fix some reported bugs, as well as improved compliance with the XenForo Resource Guidelines.

The most important fix is PHP 7.4 compatibility; PHP 7.4 is now officially supported.


Complete Change Log

Change: Updated internal data path references to better support CDNs
Fix: Fix curly brace syntax for PHP 7.4
Fix: Fixed an issue where adding a closure / anonymous function to config.php could cause issues with the config tamper detection

Update highlights

This version is a major upgrade, adding support for various kinds of security keys (such as a YubiKey) to the Two-Step Authentication feature, as well as the password confirmation screen.

Setting up a security key as a two-step authentication method is as easy as it is on any other site; navigate to the Two-Step screen in XenForo, and click "Enable" next to "Verification via security key". Once enabled, repeat visits to the Two-Step screen can also take advantage of your security key to bypass needing to enter your password.

This feature even works with "Windows Hello", found in the Microsoft Edge browser for Windows 10. You don't even need a physical security key!
(The computer needs to support the Trusted Platform Module to enable this feature.)

You can see this in action @ www.DragonByte-Tech.com if you own a FIDO-U2F or FIDO2 compatible security key.

Please be aware that this feature requires PHP 7.2.0 or newer. It will not appear for users on your site if you are running PHP 7.1 or older.


Complete Change Log

Feature: Security keys can now be used as a two-step authentication method [!!!REQUIRES PHP 7.2 OR HIGHER!!!]
Feature: Security keys can now be integrated with password confirm screens [!!!REQUIRES PHP 7.2 OR HIGHER!!!]
Change: Rename a couple of database columns to ensure they comply with the resource guidelines
Fix: Fix a regression with the HIBP API

Update highlights

This version is an "emergency" update to address the closure of the existing HaveIBeenPwned integration, which powers the "Account breach checker" feature.

v3 of their API requires authentication, and a monthly payment to continue using it. Please see the blog entry on the creator's website for more information: https://www.troyhunt.com/authentication-and-the-have-i-been-pwned-api/

It is not possible to continue using the existing API found in v4.2.6 or earlier. If you are unable or unwilling to update to this version, please disable the account breach checker to prevent further problems.


Complete Change Log

Change: Updated HaveIBeenPwned integration (account breach checker) to use v3 of their API

Update highlights

This version makes changes to the way API lookups are handled in order to protect against invalid responses from APIs such as HaveIBeenPwned.

The new privacy-focused API calls made the response data more susceptible to invalid data being parsed, but hopefully these changes should resolve that permanently.


Complete Change Log

Change: Add protection from invalid responses from various API lookups
Fix: Fixed an issue where invalid responses from HaveIBeenPwned would cause a server error

Update highlights

This version contains a follow-up to the changes in the previous version, where an empty response from certain requests could produce a server error.


Complete Change Log

Fix: Ensure we don't attempt to json_decode on an empty body

Update highlights

This version improves compatibility with core XenForo features by supporting the "HTTP Proxy" feature in XenForo. This feature is used by certain sites that may be the target of harassment / DDoS attacks, to mask the true IP of the server.

When making calls to 3rd party websites, such as MaxMind to download the latest GeoIP database, those HTTP calls would expose the true IP of the server.

For this reason, the HTTP calls in this product have been updated to support the HTTP proxy. Going forward, all DBTech products that make calls to 3rd party APIs will support the HTTP Proxy feature where possible.

Furthermore, the old low-resolution images used in the password rules display have been replaced with FontAwesome icons.

Lastly, a server error when doing a mass password reset has been resolved.


Complete Change Log

Change: Changed the way API calls are made, in order to support the HTTP Proxy feature in XenForo
Change: Use FontAwesome for the password rule indicators instead of images
Fix: Fix a server error when doing mass password reset

Update highlights

This update fixes bugs reported by the community.


Complete Change Log

Fix: The link to IP address info in the IP Address Search results now works as intended
Fix: Fix a bug in the Bad Behavior script
Fix: Fix for a possible duplicate entry in the fingerprint log