Medium Risk Security Vulnerability in Dolphin 7.1

There is medium risk security vulnerability in Dolphin 7.1.4 and most probably previous versions are also affected.

In order to perform an attack, an attacker should trick a logged-in administrator to visit a web page with CSRF exploit.


Here is manual fix:

1) Add the following code to administration/profiles.php file near ~38 line:

$sViewType = isset($_POST['adm-mp-members-view-type']) && in_array($_POST['adm-mp-members-view-type'], array('geeky', 'simple', 'extended')) ? $_POST['adm-mp-members-view-type'] : BX_DOL_ADM_MP_VIEW;

bx_import('BxDolForm');
$oChecker = new BxDolFormCheckerHelper();

//--- Process Actions ---//

 

2) Change ~43 line in administration/profiles.php file:

$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $_POST['members']) . "')");

to:

$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");

 

3) Change ~60 line in administration/profiles.php file:

$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Approval' WHERE `ID` IN ('" . implode("','", $_POST['members']) . "')");

to:

$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Approval' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");

 

4) Change ~72 line in administration/profiles.php file:

$GLOBALS['MySQL']->query("REPLACE INTO `sys_admin_ban_list` SET `ProfID`='" . $iId . "', `Time`='0',  `DateTime`=NOW()");

to:

$GLOBALS['MySQL']->query("REPLACE INTO `sys_admin_ban_list` SET `ProfID`='" . (int)$iId . "', `Time`='0',  `DateTime`=NOW()");

 
5) Change ~77 line in administration/profiles.php file:
$GLOBALS['MySQL']->query("DELETE FROM `sys_admin_ban_list` WHERE `ProfID` IN ('" . implode("','", $_POST['members']) . "')");
to:
$GLOBALS['MySQL']->query("DELETE FROM `sys_admin_ban_list` WHERE `ProfID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");
 
 
 
 
Rules → http://www.boonex.com/terms
Quote · 17 Jun 2014

thanks =)

DedicatedServer4You.com -- BIGGEST Range of Dedicated Servers at the Lowest Price!
Quote · 17 Jun 2014

Hi Alex,

When you say previous versions, does it affect 7.0.9 as well?

Thanks.

Quote · 17 Jun 2014

Thank you AlexT

Now when I go to: /administration/profiles.php or the members tab I get:

Parse error: syntax error, unexpected '$oEmailTemplate' (T_VARIABLE) in /home/trucking/public_html/administration/profiles.php on line 45

Quote · 17 Jun 2014

 Please could you provide 2-3 lines of code before and after line 45 ? 

Thank you AlexT

Now when I go to: /administration/profiles.php or the members tab I get:

Parse error: syntax error, unexpected '$oEmailTemplate' (T_VARIABLE) in /home/trucking/public_html/administration/profiles.php on line 45

 

Rules → http://www.boonex.com/terms
Quote · 17 Jun 2014

 Yes, but line numbers are different.

Hi Alex,

When you say previous versions, does it affect 7.0.9 as well?

Thanks.

 

Rules → http://www.boonex.com/terms
Quote · 17 Jun 2014

 

 Please could you provide 2-3 lines of code before and after line 45 ? 

Thank you AlexT

Now when I go to: /administration/profiles.php or the members tab I get:

Parse error: syntax error, unexpected '$oEmailTemplate' (T_VARIABLE) in /home/trucking/public_html/administration/profiles.php on line 45

 

 $sViewType = isset($_POST['adm-mp-members-view-type']) && in_array($_POST['adm-mp-members-view-type'], array('geeky', 'simple', 'extended')) ? $_POST['adm-mp-members-view-type'] : BX_DOL_ADM_MP_VIEW;

bx_import('BxDolForm');
$oChecker = new BxDolFormCheckerHelper();

//--- Process Actions ---//
if(isset($_POST['adm-mp-activate']) && (bool)$_POST['members']) {
    $GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')")

    $oEmailTemplate = new BxDolEmailTemplates();
    foreach($_POST['members'] as $iId) {

profiles.php · 24.8K · 775 downloads
Quote · 17 Jun 2014

//--- Process Actions ---//
if(isset($_POST['adm-mp-activate']) && (bool)$_POST['members']) {
    $GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')")

Look at the code provided and yours. Your missing a ; at the end of the line.

Should be this.

$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");

Yours is missing the ; at the end, but the code AlexT provided and the original both have it.

https://www.deanbassett.com
Quote · 17 Jun 2014

Oh Man.. Sorry about that.. Thank you Deano for pointing that easy fix out.. Grrrr..

Quote · 17 Jun 2014

 Alex

 

Can you please upload the modified administration/profiles.php here as a zip save everyone a lot of grief!

 

Quote · 17 Jun 2014

just curious as to what is going on. @Alex - you mention that they have to trick an Admin to go to that CSRF exploit page, but then what happens? What exactly is the security risk and how does it affect a dolphin site. What does it allow a person to do once the Admin goes to that page? And then, what exactly does the code change accomplish?

caredesign.net
Quote · 17 Jun 2014

Thanks for the notice. I've forwarded this to all active Zarconia customers.

 

Edit: @eva1: I'll post a download of the modified file in a few, unless somebody beats me to it.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 17 Jun 2014

Here's the updated profiles.php. I checked the downloads, and it looks like they haven't updated the ZIP file.

 

Edit: As Deano pointed out, this is for Dolphin 7.1.4.

For Dolphin 7.1.4.zip · 6.3K · 746 downloads
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 17 Jun 2014

Nathan, when you post that file, make sure the post explicitly states what version of dolphin it is for.

I don't believe modified files should be in the forums. A common problem is people grabbing files out of these forums on 2+ year old topics and applying them to current dolphin sites.

I have just seen people making that mistake way to many times.

EDIT: To late, you already posted it. You may want to edit your post and specify the dolphin version.

https://www.deanbassett.com
Quote · 17 Jun 2014

these are the reasons we need PDO or MySQLi at least (with binding ofc) implemented asap...

so much to do....
Quote · 17 Jun 2014

 

Nathan, when you post that file, make sure the post explicitly states what version of dolphin it is for.

Done. I'll replace it with a named ZIP file shortly to emphasize it.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 17 Jun 2014

 

these are the reasons we need PDO or MySQLi at least implemented asap...

Those will have to be done in future versions anyway. Standard php mysql functions are being depreciated in future versions of php.

https://www.deanbassett.com
Quote · 17 Jun 2014

 

Standard php mysql functions are being depreciated in future versions of php.

 they are already in php 5.5.x

http://www.php.net//manual/en/migration55.deprecated.php

so much to do....
Quote · 17 Jun 2014

 

There is medium risk security vulnerability in Dolphin 7.1.4 and most probably previous versions are also affected.

In order to perform an attack, an attacker should trick a logged-in administrator to visit a web page with CSRF exploit.


Here is manual fix:

1) Add the following code to administration/profiles.php file near ~38 line:

$sViewType = isset($_POST['adm-mp-members-view-type']) && in_array($_POST['adm-mp-members-view-type'], array('geeky', 'simple', 'extended')) ? $_POST['adm-mp-members-view-type'] : BX_DOL_ADM_MP_VIEW;

bx_import('BxDolForm');
$oChecker = new BxDolFormCheckerHelper();

//--- Process Actions ---//

 

2) Change ~43 line in administration/profiles.php file:

$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $_POST['members']) . "')");

to:

$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");

 

3) Change ~60 line in administration/profiles.php file:

$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Approval' WHERE `ID` IN ('" . implode("','", $_POST['members']) . "')");

to:

$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Approval' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");

 

4) Change ~72 line in administration/profiles.php file:

$GLOBALS['MySQL']->query("REPLACE INTO `sys_admin_ban_list` SET `ProfID`='" . $iId . "', `Time`='0',  `DateTime`=NOW()");

to:

$GLOBALS['MySQL']->query("REPLACE INTO `sys_admin_ban_list` SET `ProfID`='" . (int)$iId . "', `Time`='0',  `DateTime`=NOW()");

 
5) Change ~77 line in administration/profiles.php file:
$GLOBALS['MySQL']->query("DELETE FROM `sys_admin_ban_list` WHERE `ProfID` IN ('" . implode("','", $_POST['members']) . "')");
to:
$GLOBALS['MySQL']->query("DELETE FROM `sys_admin_ban_list` WHERE `ProfID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");
 
 
 
 

 Applied without problems, thank you Alex.

See my products at http://www.boonex.com/market/posts/ilbellodelweb | Hosting: zarconia.net
Quote · 17 Jun 2014

Thanks to every one for the head's up.

Unity at it's finest.

Quote · 17 Jun 2014

Yup. Worked fine. Thanks

http://towtalk.net ... Hosted by Zarconia.net!
Quote · 17 Jun 2014

 Normally these attacks work like this:

 

The logged in person clicks a link which takes them to another page that steals their cookie info. Then the bad guy is able to trick the original site into thinking he is the admin or whichever users cookie they stole. This has happened on previous versions of phpbb also.

 

just curious as to what is going on. @Alex - you mention that they have to trick an Admin to go to that CSRF exploit page, but then what happens? What exactly is the security risk and how does it affect a dolphin site. What does it allow a person to do once the Admin goes to that page? And then, what exactly does the code change accomplish?

 

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 17 Jun 2014

 

 Normally these attacks work like this:

 

The logged in person clicks a link which takes them to another page that steals their cookie info. Then the bad guy is able to trick the original site into thinking he is the admin or whichever users cookie they stole. This has happened on previous versions of phpbb also.

 

just curious as to what is going on. @Alex - you mention that they have to trick an Admin to go to that CSRF exploit page, but then what happens? What exactly is the security risk and how does it affect a dolphin site. What does it allow a person to do once the Admin goes to that page? And then, what exactly does the code change accomplish?

 

This particular vulnerability is a more "sql injection", the one you're mentioning is a "csrf".

EDIT2: Changed the post, i was talking about xss before, too much coffee :(

so much to do....
Quote · 17 Jun 2014

You should email this kind of stuff to people. I wasn't going to check the forums today, but I'm glad I did. Thanks for the fix though.

Quote · 17 Jun 2014

I agree with that Dolphin site owners should have reasonably quick access to info on Dolphin Security issues... more than just a posting on the website that only a few will see before it disappears off the "Recent" Topics and Latest Posts lists. 

For example, can an opt-in email list be setup for Dolphin site owners specifically for Dolphin Security issues?  Then possibly a note (or Join form) could be added to one of the Dolphin installation screens.

http://pkforum.dolphinhelp.com
Quote · 18 Jun 2014

Link to this is coming out in the newsletter today.

Heart Head Hands
Quote · 18 Jun 2014

Once logged-in site administrator clicks on the button, which attacker send to admin somehow, it performs SQL injection, for example it can activate unconfirmed or suspended members.

just curious as to what is going on. @Alex - you mention that they have to trick an Admin to go to that CSRF exploit page, but then what happens? What exactly is the security risk and how does it affect a dolphin site. What does it allow a person to do once the Admin goes to that page? And then, what exactly does the code change accomplish?

 

Rules → http://www.boonex.com/terms
Quote · 18 Jun 2014

Thank you so much! Received a warning from the mailing list.

Quote · 18 Jun 2014

This is a good. Many thanks.

"Your future is created by what you do today, not tomorrow." @ www.dexpertz.net
Quote · 18 Jun 2014

Good day to all,

I totally agree that a vulnerability such as this with exploit code should be sent to all owner of Boonex immediately.

Today you no longer have the luxury of waiting days before applying a patch.   It must be as soon as possible or else your site will be hacked for sure.

Best regards

Clement

Quote · 18 Jun 2014

Has the Dolphin download .zip been patched/updated or do you intend to do so?

If not I don't see the point of distributing a Dolphin .zip download with a security vulnerability in it.

For one thing someone new is going to download and install it not realizing it should be patched/updated.

Secondly for those that are aware of this it is kind of a waste of time to download the .zip and have to patch/update it right away if we are going to install another instance of Dolphin.

Unless Boonex intends to roll out version 7.1.5 with this applied in the next day or two.

Just wondering.

DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources
Quote · 19 Jun 2014

 

Has the Dolphin download .zip been patched/updated or do you intend to do so?

Checked, and it doesn't look like the ZIP file has been updated. Same old MD5 hash.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 19 Jun 2014

Thanks for checking the current Dolphin .zip Nathan.

I personally can't believe that a publicly posted update/vulnerability was not, and has not been rolled out to the current Dolphin download .zip.

Amazing!

Besides this post, the next thing I would have done was updated the download. 24 hours and counting and still nothing. How crazy is that?

These Boonex folks seem like fairly smart programers, but not so smart in the PR, updates, and such.

Maybe the changes and updates in Trac would conflict. IE all the current updates are not retro-active. So a couple little lines would confuse them too much to worry about updating. I don't know, but even though they call it a medium update, it certainly should be rolled out to the latest download. Actually it should have been shortly after this was posted. What's up with that?

DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources
Quote · 19 Jun 2014

I love Boonex. Without Boonex I would be broke.

Quote · 19 Jun 2014

thank you...

Quote · 19 Jun 2014

Maybe this can help Boonex and Dolphin users for this small step.

The attached file zip contains, for each dolphin version (D7.0.0-D7.1.4) the original files and the files with the patch.

The original files have been added just for more security (for restoring), for every dolphin version, you can see, under the folder "UPDATE":

  • d7XY (folder name, for example d709)
    • administration (folder)
      • profiles.php (file)

You have to select your dolphin version, then upload the folder "administration" in your site root.

Remember, you can also back up your file "profiles.php" if for any reason you have customized it. Also, into the folder "ORIGINAL" there are the default files from Boonex (version by version).

We hope this can save your time!

securityupdate.zip · 177.8K · 739 downloads
See my products at http://www.boonex.com/market/posts/ilbellodelweb | Hosting: zarconia.net
Quote · 19 Jun 2014

Thanks for making zip, but I have a stupid question. So if I follow you upload instruction I will now have 2 administration folders on my root? Or do we upload administration folder into the existing administration file that already exists on root? Or do we just replace it. Sorry I'm not the sharpest tool in the shed when it comes to this stuff. 

Quote · 20 Jun 2014

You will not have to administration folders.

The instructions say to upload it to the root of your site. Thus what will happen is the administration folder you upload will merge with the existing one.

https://www.deanbassett.com
Quote · 20 Jun 2014

Upgrades; does any of the upgrades contain profiles.php?  If so, then Boonex needs to apply the fix to the upgrades.

Geeks, making the world a better place
Quote · 20 Jun 2014

From my experience over the years, boonex has never updated a zip file once it has been released. They should for security fixes, but it's highly unlikely they will.

https://www.deanbassett.com
Quote · 20 Jun 2014

Applied thanks to who ever caught this. I assume there was probably a victim for the issue to come to light. So thanks again.

Quote · 20 Jun 2014

 

Thanks for making zip, but I have a stupid question. So if I follow you upload instruction I will now have 2 administration folders on my root? Or do we upload administration folder into the existing administration file that already exists on root? Or do we just replace it. Sorry I'm not the sharpest tool in the shed when it comes to this stuff. 

The files to upload are into the folder "UPDATE"

the folder "ORIGINAL" is just if you want restore the original files

See my products at http://www.boonex.com/market/posts/ilbellodelweb | Hosting: zarconia.net
Quote · 21 Jun 2014

It is very irresponsible for any software company to have downloadable versions of their products with known security flaws; it might even open the door to possible lawsuits; at least in the good ol' US of A.  Security flaws are not on the same level as bugs; not rolling a bug fix into the current version is acceptable, not rolling a security flaw into at least the current downloadable version, the current shipping version, is unacceptable from any viewpoint.

 

Note: I was once criticised on the forums for making such statements.  It is because I care about Dolphin being around for a long time.  I am using Dolphin and I have a vested interest in Boonex through Dolphin.  Yes, I am sure that Andrew's business knowledge far exceeds mine; however, I do run a small business.

Geeks, making the world a better place
Quote · 21 Jun 2014

Thanks for the update. I just made the changes to my file. Hope all is much better now. :)

Jeremy
Quote · 21 Jun 2014

We release urgent new version for critical security flaws, but this one is not critical, moreover it can't be done without tricking logged in administrator, which is very unlikely to happen.

It is very irresponsible for any software company to have downloadable versions of their products with known security flaws; it might even open the door to possible lawsuits; at least in the good ol' US of A.  Security flaws are not on the same level as bugs; not rolling a bug fix into the current version is acceptable, not rolling a security flaw into at least the current downloadable version, the current shipping version, is unacceptable from any viewpoint.

 

Note: I was once criticised on the forums for making such statements.  It is because I care about Dolphin being around for a long time.  I am using Dolphin and I have a vested interest in Boonex through Dolphin.  Yes, I am sure that Andrew's business knowledge far exceeds mine; however, I do run a small business.

 

Rules → http://www.boonex.com/terms
Quote · 23 Jun 2014

Even though this one is not a critical security update you guys really should update the download. It is disappointing that you don't do so. Like I mention new users that download it and install it are going to have no idea even if it is fairly rare that it would affect them. That doesn't matter. I sure as heck wouldn't want to install a vulnerable version if I could get one with out it.

 

I certainly don't follow forums non-stop for all the software I install. So, I would assume others (new users) certainly don't follow dolphin forums for all the updates. And, they would have missed the announcement email if they just signed up.

 

Very poor choices in my opinion. Is it so hard to update the .zip or release a 7.1.4a/b or something? If you are not ready to do a 7.1.5. I really don't see why it's so difficult or such a big deal. I guess trac changes might scew it maybe.

 

At any rate thanks for the update, for those of us who actually received it. Disappointing for new users though.

DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources
Quote · 25 Jun 2014

 

TALVEZ ISSO POSSA ajudar OS USUÁRIOS Sonets e Dolphin parágrafo Este Pequeno Passo .

O ARQUIVO zip em anexo Contém, parágrafo CADA version golfinho (D7.0.0-D7.1.4) OS Arquivos Originais E os Arquivos com o patch.

 

  • d7XY (nome da pasta, Por Exemplo, D709)
    • Administração (massas)
      • profiles.php (ARQUIVO)

Você. temperatura Opaco Select a SUA version de Golfinhos, EM SEGUIDA, Fazer o carregamento da pasta "Administração" na Raiz fazer Seu local.

LEMBRE-SE, backup Fazer Você. also PODE de Seu ARQUIVO "profiles.php" se POR sândalo Motivo Você. figado costumizado. Disso de Além, § o "ORIGINAL" pasta existem OS Arquivos Padrão de SONETS (a version CADA).

Esperamos Que ISSO PODE SALVAR o Seu ritmo!

 Thanks ilbellodelweb!!

Quote · 12 Jul 2014
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.