Team Mach-II is proud to present the latest stable releases of the Mach-II Dashboard.  There are two versions that have been released.  One version for the 1.6.x series of the Mach-II framework and one version for the 1.8.x series of the Mach-II framework.  We are now using OhLoh to manage our releases so all downloads will be from our OhLoh project listing.

Security Notice

Due to a possible directory transversal security flaw, we strongly suggest upgrading to these versions as they contain the latest enhancements and security patches.  This flaw if exploited correctly could lead to access to PNG, GIF, JPG, CSS and JS files that may not necessarily be available from the website root.  This flaw does not affect any other file types.

We have received absolutely no reports of this exploit being used in the wild and it only affects users of the Dashboard module when deployed to production environments. This does NOT affect the core Mach-II framework in any way.

This is an same day discovery release fix.  We issued the 1.0.1 maintenance release and the 1.1.0 final / gold stable on the same day the this possible flaw was discovered. This possible flaw was discovered by a source code audit performed by a Team Mach-II member.

Security Resolution Paths

1. Upgrade the version of the Dashboard you are using to one of the versions below. Be sure to clear your CFML engine template cache and restart your application to clear any Dashboard components that had been loaded into the application memory.
2. If you cannot upgrade at this time, removing the dashboard from production applications (i.e. commenting it out in your mach-ii.xml file) will fix this security concern until you can update your Dashboard source code

Downloads

For Mach-II 1.6.x Series:

Download Mach-II Dashboard 1.0.1 Stable (Maintenance Release for 1.0.0)

For Mach-II 1.8.x Series:

Download Mach-II Dashboard 1.1.0 Stable

For Mach-II 1.9.x Series using integrated Dashboard:

Use the latest BER zip or SVN version.  Do not use milestone 1 or milestone 2 on production

For the Future

We will blog more about this possible exploit -- how it was discovered, what the specific exploit is, how it works and to resolve it.  At the moment, we are refraining from discussing the specifics since this is an active (although medium level) security concern.  A full postmortem will be coming in the next several weeks as it can provide information on securing your own applications.

About six month after the release of Mach-II 1.8.0 Simplicity, Team Mach-II is proud to present that the 1.8.1 maintenance release is gold.

Download 1.8.1 Now

This is a maintenance release for the 1.8 series of Mach-II versions.  You can find out more about What's New in Mach-II 1.8.1 on our wiki.  Have a fun time Mach-ing out and be sure to look our for Mach-II Integrity (1.9.0) Milestone 2 release soon!

Greetings Mach-II users, fans, and lovers! We're pleased to announce the newest addition to our MachStart Screencast series. In this series, Brian FitzGerald of team Mach-II shows you just how easy it is to skin your Mach-II application. In this video, we look at how to grab any HTML template and apply it to your application, touch on the new View Loaders feature made available in Mach-II 1.8, take a look at Mach-II subroutines, and more! If you're new to Mach-II, don't miss this video!

A few related links:
Subroutines: http://trac.mach-ii.com/machii/wiki/Subroutines
Templating: http://trac.mach-ii.com/machii/wiki/HowToCreateViewLayoutsTemplating
View Loaders: http://trac.mach-ii.com/machii/wiki/MachII1.8SpecificationViewLoaders