SiteDash Client v1.2.1 [security fix]

We’ve just released SiteDash Client v1.2.1. This release includes a security fix and it’s recommended to update as soon as possible. You can quickly update the client on your sites through the dashboard.

In certain cases when remotely creating the database backup would fail, the full command including the mysql password would be returned from the client and shown in the dashboard. The database password is obviously privileged information that we don’t ever want to have inside SiteDash, or transferred over the internet at all.

Over the next few days we’ll take a closer look to assess when this issue was introduced (at first glance, it seems limited to client v1.2.0 released yesterday, but we want to make sure) and to make sure all traces have been removed from our system. We’ll reach out to affected users individually as well to recommend changing the mysql password as an additional precaution.

We’ve identified 11 backup attempts, for 7 unique sites on 6 different accounts that were affected by this bug and have reached out to those affected.

The issue was introduced in v1.0.0-pl of the client, released in December 2018.

All references to the passwords have been removed from our system.