If you read our blog regularly or have been following us for a while, you may have noticed that things have been a little quieter at first glance in recent months. But that impression is deceptive - because a lot has been going on under the hood!
We have deliberately decided to release fewer new and visible features during this time. Not because there was a lack of ideas - quite the opposite. Our focus was on an area that often remains invisible but is absolutely crucial: the security of your Contao installations.
We have put a lot of time and passion into new versions of the Contao Manager and the smooth interaction of all components. Processes have been scrutinised, improved and secured - in short, we have strengthened the foundation on which everything else is built.
And now the time has come: with the latest release of our app, all these developments have come together. The pieces of the puzzle fit together, everything feels smoother, more stable and, above all, safer.
We are delighted to finally be able to present the result to you!
Contao Manager 1.9 and 1.10
After our favourite CMS was upgraded to version 5.5 in February and provided with many new great functions. We have made sure that the Contao Manager can shine with even more security thanks to versions 1.9 and 1.10. The Manager now has integrated user and rights management as well as protection against the manipulation of Composer packages. Best of all, you can now benefit from this directly in trakked.
But what is user administration all about?
I would like to give you a brief overview of the new user roles:
- READ: can see the installed packages and read log files, but cannot change the system.
- UPDATE: may update existing packages and perform maintenance tasks (e.g. clear cache).
- INSTALL: may update and install packages and change system settings.
- ADMIN: can use all functions of the Contao Manager.
Until today's release, trakked had full access (user role: ADMIN) to the Contao Manager. If an attacker managed to access our data, they could use the access tokens and the Contao Manager API to install any Composer package. It would be relatively easy to take over all of our customers' installations.
With the version released today, the newly created UPDATE user role will now be used automatically. We have automatically downgraded our existing tokens with the AMDIN role so that no action is required on your part.
Apart from the fact that no one can now smuggle in unwanted packages via our access tokens, this has another nice side effect: We now offer all trakked users direct login to the Contao Manager with one click. In this case, the access authorisations are of course also those of the UPDATE role. You can therefore continue to perform database updates and carry out non-destructive maintenance tasks.
If you now open a Contao Manager of your choice via trakked, you will see a message that you are logged in with restricted authorisations. If you want to perform an action that requires a higher role (e.g. install a new package), click on "Log in again" to get to the login screen where you can log in again.
How does the new UPDATE role work?
The latest version of Contao Manager 1.10 is about protecting the Composer Resolver Cloud and the Contao Manager API by validating the composer.lock to prevent malicious packages from being injected when these services are taken over. We therefore ensure that the composer.lock cannot contain arbitrary data, but must always match the composer.json!
The package terminal42/composer-lock-validator was created for this purpose, which correctly recognises various attack scenarios.
After the automatic update to Contao Manager 1.10. it will no longer be possible to add packages even though they are not mentioned in composer.json:
- Add packages even though they are not mentioned in
composer.json. - Adding packages even though they are not required by any other package.
- Remove packages that should be there.
- Change the metadata of a package.
The UPDATE role allows a composer.lock file to be transmitted via API - but not the composer.json. And this is precisely where the big security gain lies: you can continue to carry out updates conveniently via trakked, but it is now impossible for a potentially harmful package to be injected unintentionally or even secretly!
Further innovations in the Contao Manager
In addition to the new user and rights management, passkeys and two-factor authentication have also been added to the Contao Manager and the components have also been updated on this occasion.
Of course, the new version of the Contao Manager was automatically updated overnight for your trakked installations. Unless you are still on PHP 7.4 or 8.0 with your installation, then you will be provided with the latest compatible version of the Contao Manager. So it's high time to think about updating to the latest PHP version.
If you want to improve the general security of your Contao installation, we recommend our blog post.
We have also published a page where we give you an insight into what we are doing to keep your data secure.
Although there is no spectacular new function in trakked, there are important improvements that ensure significantly more security. And that's exactly why we (and hopefully you too) are sleeping a lot better now.
