There is medium risk security vulnerability in Dolphin 7.1.4 and most probably previous versions are also affected.
In order to perform an attack, an attacker should trick a logged-in administrator to visit a web page with CSRF exploit.
Here is manual fix:
1) Add the following code to administration/profiles.php file near ~38 line:
$sViewType = isset($_POST['adm-mp-members-view-type']) && in_array($_POST['adm-mp-members-view-type'], array('geeky', 'simple', 'extended')) ? $_POST['adm-mp-members-view-type'] : BX_DOL_ADM_MP_VIEW;
bx_import('BxDolForm');
$oChecker = new BxDolFormCheckerHelper();
//--- Process Actions ---//
2) Change ~43 line in administration/profiles.php file:
$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $_POST['members']) . "')");
to:
$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");
3) Change ~60 line in administration/profiles.php file:
$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Approval' WHERE `ID` IN ('" . implode("','", $_POST['members']) . "')");
to:
$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Approval' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");
4) Change ~72 line in administration/profiles.php file:
$GLOBALS['MySQL']->query("REPLACE INTO `sys_admin_ban_list` SET `ProfID`='" . $iId . "', `Time`='0', `DateTime`=NOW()");
to:
$GLOBALS['MySQL']->query("REPLACE INTO `sys_admin_ban_list` SET `ProfID`='" . (int)$iId . "', `Time`='0', `DateTime`=NOW()");
5) Change ~77 line in administration/profiles.php file:
$GLOBALS['MySQL']->query("DELETE FROM `sys_admin_ban_list` WHERE `ProfID` IN ('" . implode("','", $_POST['members']) . "')");
to:
$GLOBALS['MySQL']->query("DELETE FROM `sys_admin_ban_list` WHERE `ProfID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");
Rules → http://www.boonex.com/terms |
DedicatedServer4You.com -- BIGGEST Range of Dedicated Servers at the Lowest Price! |
Hi Alex,
When you say previous versions, does it affect 7.0.9 as well?
Thanks.
|
Thank you AlexT
Now when I go to: /administration/profiles.php or the members tab I get:
Parse error: syntax error, unexpected '$oEmailTemplate' (T_VARIABLE) in /home/trucking/public_html/administration/profiles.php on line 45
|
Please could you provide 2-3 lines of code before and after line 45 ?
Thank you AlexT
Now when I go to: /administration/profiles.php or the members tab I get:
Parse error: syntax error, unexpected '$oEmailTemplate' (T_VARIABLE) in /home/trucking/public_html/administration/profiles.php on line 45
Rules → http://www.boonex.com/terms |
Yes, but line numbers are different.
Hi Alex,
When you say previous versions, does it affect 7.0.9 as well?
Thanks.
Rules → http://www.boonex.com/terms |
Please could you provide 2-3 lines of code before and after line 45 ?
Thank you AlexT
Now when I go to: /administration/profiles.php or the members tab I get:
Parse error: syntax error, unexpected '$oEmailTemplate' (T_VARIABLE) in /home/trucking/public_html/administration/profiles.php on line 45
$sViewType = isset($_POST['adm-mp-members-view-type']) && in_array($_POST['adm-mp-members-view-type'], array('geeky', 'simple', 'extended')) ? $_POST['adm-mp-members-view-type'] : BX_DOL_ADM_MP_VIEW;
bx_import('BxDolForm');
$oChecker = new BxDolFormCheckerHelper();
//--- Process Actions ---//
if(isset($_POST['adm-mp-activate']) && (bool)$_POST['members']) {
$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')")
$oEmailTemplate = new BxDolEmailTemplates();
foreach($_POST['members'] as $iId) {
|
//--- Process Actions ---//
if(isset($_POST['adm-mp-activate']) && (bool)$_POST['members']) {
$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')")
Look at the code provided and yours. Your missing a ; at the end of the line.
Should be this.
$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");
Yours is missing the ; at the end, but the code AlexT provided and the original both have it. https://www.deanbassett.com |
Oh Man.. Sorry about that.. Thank you Deano for pointing that easy fix out.. Grrrr.. |
Alex
Can you please upload the modified administration/profiles.php here as a zip save everyone a lot of grief!
|
just curious as to what is going on. @Alex - you mention that they have to trick an Admin to go to that CSRF exploit page, but then what happens? What exactly is the security risk and how does it affect a dolphin site. What does it allow a person to do once the Admin goes to that page? And then, what exactly does the code change accomplish? caredesign.net |
Thanks for the notice. I've forwarded this to all active Zarconia customers.
Edit: @eva1: I'll post a download of the modified file in a few, unless somebody beats me to it.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Here's the updated profiles.php. I checked the downloads, and it looks like they haven't updated the ZIP file.
Edit: As Deano pointed out, this is for Dolphin 7.1.4.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Nathan, when you post that file, make sure the post explicitly states what version of dolphin it is for.
I don't believe modified files should be in the forums. A common problem is people grabbing files out of these forums on 2+ year old topics and applying them to current dolphin sites.
I have just seen people making that mistake way to many times.
EDIT: To late, you already posted it. You may want to edit your post and specify the dolphin version. https://www.deanbassett.com |
these are the reasons we need PDO or MySQLi at least (with binding ofc) implemented asap... so much to do.... |
Nathan, when you post that file, make sure the post explicitly states what version of dolphin it is for.
Done. I'll replace it with a named ZIP file shortly to emphasize it.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
these are the reasons we need PDO or MySQLi at least implemented asap...
Those will have to be done in future versions anyway. Standard php mysql functions are being depreciated in future versions of php.
https://www.deanbassett.com |
Standard php mysql functions are being depreciated in future versions of php.
they are already in php 5.5.x
http://www.php.net//manual/en/migration55.deprecated.php
so much to do.... |
There is medium risk security vulnerability in Dolphin 7.1.4 and most probably previous versions are also affected.
In order to perform an attack, an attacker should trick a logged-in administrator to visit a web page with CSRF exploit.
Here is manual fix:
1) Add the following code to administration/profiles.php file near ~38 line:
$sViewType = isset($_POST['adm-mp-members-view-type']) && in_array($_POST['adm-mp-members-view-type'], array('geeky', 'simple', 'extended')) ? $_POST['adm-mp-members-view-type'] : BX_DOL_ADM_MP_VIEW;
bx_import('BxDolForm');
$oChecker = new BxDolFormCheckerHelper();
//--- Process Actions ---//
2) Change ~43 line in administration/profiles.php file:
$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $_POST['members']) . "')");
to:
$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Active' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");
3) Change ~60 line in administration/profiles.php file:
$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Approval' WHERE `ID` IN ('" . implode("','", $_POST['members']) . "')");
to:
$GLOBALS['MySQL']->query("UPDATE `Profiles` SET `Status`='Approval' WHERE `ID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");
4) Change ~72 line in administration/profiles.php file:
$GLOBALS['MySQL']->query("REPLACE INTO `sys_admin_ban_list` SET `ProfID`='" . $iId . "', `Time`='0', `DateTime`=NOW()");
to:
$GLOBALS['MySQL']->query("REPLACE INTO `sys_admin_ban_list` SET `ProfID`='" . (int)$iId . "', `Time`='0', `DateTime`=NOW()");
5) Change ~77 line in administration/profiles.php file:
$GLOBALS['MySQL']->query("DELETE FROM `sys_admin_ban_list` WHERE `ProfID` IN ('" . implode("','", $_POST['members']) . "')");
to:
$GLOBALS['MySQL']->query("DELETE FROM `sys_admin_ban_list` WHERE `ProfID` IN ('" . implode("','", $oChecker->passInt($_POST['members'])) . "')");
Applied without problems, thank you Alex.
See my products at http://www.boonex.com/market/posts/ilbellodelweb | Hosting: zarconia.net |
Thanks to every one for the head's up.
Unity at it's finest.
|
http://towtalk.net ... Hosted by Zarconia.net! |
Normally these attacks work like this:
The logged in person clicks a link which takes them to another page that steals their cookie info. Then the bad guy is able to trick the original site into thinking he is the admin or whichever users cookie they stole. This has happened on previous versions of phpbb also.
just curious as to what is going on. @Alex - you mention that they have to trick an Admin to go to that CSRF exploit page, but then what happens? What exactly is the security risk and how does it affect a dolphin site. What does it allow a person to do once the Admin goes to that page? And then, what exactly does the code change accomplish?
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Normally these attacks work like this:
The logged in person clicks a link which takes them to another page that steals their cookie info. Then the bad guy is able to trick the original site into thinking he is the admin or whichever users cookie they stole. This has happened on previous versions of phpbb also.
just curious as to what is going on. @Alex - you mention that they have to trick an Admin to go to that CSRF exploit page, but then what happens? What exactly is the security risk and how does it affect a dolphin site. What does it allow a person to do once the Admin goes to that page? And then, what exactly does the code change accomplish?
This particular vulnerability is a more "sql injection", the one you're mentioning is a "csrf".
EDIT2: Changed the post, i was talking about xss before, too much coffee :(
so much to do.... |
You should email this kind of stuff to people. I wasn't going to check the forums today, but I'm glad I did. Thanks for the fix though. |
I agree with mayzfieldtv that Dolphin site owners should have reasonably quick access to info on Dolphin Security issues... more than just a posting on the website that only a few will see before it disappears off the "Recent" Topics and Latest Posts lists.
For example, can an opt-in email list be setup for Dolphin site owners specifically for Dolphin Security issues? Then possibly a note (or Join form) could be added to one of the Dolphin installation screens.
http://pkforum.dolphinhelp.com |
Link to this is coming out in the newsletter today. Heart Head Hands |
Once logged-in site administrator clicks on the button, which attacker send to admin somehow, it performs SQL injection, for example it can activate unconfirmed or suspended members.
just curious as to what is going on. @Alex - you mention that they have to trick an Admin to go to that CSRF exploit page, but then what happens? What exactly is the security risk and how does it affect a dolphin site. What does it allow a person to do once the Admin goes to that page? And then, what exactly does the code change accomplish?
Rules → http://www.boonex.com/terms |
Thank you so much! Received a warning from the mailing list. |
This is a good. Many thanks. "Your future is created by what you do today, not tomorrow." @ www.dexpertz.net |
Good day to all,
I totally agree that a vulnerability such as this with exploit code should be sent to all owner of Boonex immediately.
Today you no longer have the luxury of waiting days before applying a patch. It must be as soon as possible or else your site will be hacked for sure.
Best regards
Clement
|
Has the Dolphin download .zip been patched/updated or do you intend to do so?
If not I don't see the point of distributing a Dolphin .zip download with a security vulnerability in it.
For one thing someone new is going to download and install it not realizing it should be patched/updated.
Secondly for those that are aware of this it is kind of a waste of time to download the .zip and have to patch/update it right away if we are going to install another instance of Dolphin.
Unless Boonex intends to roll out version 7.1.5 with this applied in the next day or two.
Just wondering. DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources |
Has the Dolphin download .zip been patched/updated or do you intend to do so?
Checked, and it doesn't look like the ZIP file has been updated. Same old MD5 hash.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Thanks for checking the current Dolphin .zip Nathan.
I personally can't believe that a publicly posted update/vulnerability was not, and has not been rolled out to the current Dolphin download .zip.
Amazing!
Besides this post, the next thing I would have done was updated the download. 24 hours and counting and still nothing. How crazy is that?
These Boonex folks seem like fairly smart programers, but not so smart in the PR, updates, and such.
Maybe the changes and updates in Trac would conflict. IE all the current updates are not retro-active. So a couple little lines would confuse them too much to worry about updating. I don't know, but even though they call it a medium update, it certainly should be rolled out to the latest download. Actually it should have been shortly after this was posted. What's up with that?
DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources |
I love Boonex. Without Boonex I would be broke. |
|
Maybe this can help Boonex and Dolphin users for this small step.
The attached file zip contains, for each dolphin version (D7.0.0-D7.1.4) the original files and the files with the patch.
The original files have been added just for more security (for restoring), for every dolphin version, you can see, under the folder "UPDATE":
- d7XY (folder name, for example d709)
You have to select your dolphin version, then upload the folder "administration" in your site root.
Remember, you can also back up your file "profiles.php" if for any reason you have customized it. Also, into the folder "ORIGINAL" there are the default files from Boonex (version by version).
We hope this can save your time!
See my products at http://www.boonex.com/market/posts/ilbellodelweb | Hosting: zarconia.net |
Thanks for making zip, but I have a stupid question. So if I follow you upload instruction I will now have 2 administration folders on my root? Or do we upload administration folder into the existing administration file that already exists on root? Or do we just replace it. Sorry I'm not the sharpest tool in the shed when it comes to this stuff. |
You will not have to administration folders.
The instructions say to upload it to the root of your site. Thus what will happen is the administration folder you upload will merge with the existing one. https://www.deanbassett.com |
Upgrades; does any of the upgrades contain profiles.php? If so, then Boonex needs to apply the fix to the upgrades. Geeks, making the world a better place |
From my experience over the years, boonex has never updated a zip file once it has been released. They should for security fixes, but it's highly unlikely they will. https://www.deanbassett.com |
Applied thanks to who ever caught this. I assume there was probably a victim for the issue to come to light. So thanks again. |
Thanks for making zip, but I have a stupid question. So if I follow you upload instruction I will now have 2 administration folders on my root? Or do we upload administration folder into the existing administration file that already exists on root? Or do we just replace it. Sorry I'm not the sharpest tool in the shed when it comes to this stuff.
The files to upload are into the folder "UPDATE"
the folder "ORIGINAL" is just if you want restore the original files
See my products at http://www.boonex.com/market/posts/ilbellodelweb | Hosting: zarconia.net |
It is very irresponsible for any software company to have downloadable versions of their products with known security flaws; it might even open the door to possible lawsuits; at least in the good ol' US of A. Security flaws are not on the same level as bugs; not rolling a bug fix into the current version is acceptable, not rolling a security flaw into at least the current downloadable version, the current shipping version, is unacceptable from any viewpoint.
Note: I was once criticised on the forums for making such statements. It is because I care about Dolphin being around for a long time. I am using Dolphin and I have a vested interest in Boonex through Dolphin. Yes, I am sure that Andrew's business knowledge far exceeds mine; however, I do run a small business.
Geeks, making the world a better place |
Thanks for the update. I just made the changes to my file. Hope all is much better now. :) Jeremy |
We release urgent new version for critical security flaws, but this one is not critical, moreover it can't be done without tricking logged in administrator, which is very unlikely to happen.
It is very irresponsible for any software company to have downloadable versions of their products with known security flaws; it might even open the door to possible lawsuits; at least in the good ol' US of A. Security flaws are not on the same level as bugs; not rolling a bug fix into the current version is acceptable, not rolling a security flaw into at least the current downloadable version, the current shipping version, is unacceptable from any viewpoint.
Note: I was once criticised on the forums for making such statements. It is because I care about Dolphin being around for a long time. I am using Dolphin and I have a vested interest in Boonex through Dolphin. Yes, I am sure that Andrew's business knowledge far exceeds mine; however, I do run a small business.
Rules → http://www.boonex.com/terms |
Even though this one is not a critical security update you guys really should update the download. It is disappointing that you don't do so. Like I mention new users that download it and install it are going to have no idea even if it is fairly rare that it would affect them. That doesn't matter. I sure as heck wouldn't want to install a vulnerable version if I could get one with out it.
I certainly don't follow forums non-stop for all the software I install. So, I would assume others (new users) certainly don't follow dolphin forums for all the updates. And, they would have missed the announcement email if they just signed up.
Very poor choices in my opinion. Is it so hard to update the .zip or release a 7.1.4a/b or something? If you are not ready to do a 7.1.5. I really don't see why it's so difficult or such a big deal. I guess trac changes might scew it maybe.
At any rate thanks for the update, for those of us who actually received it. Disappointing for new users though.
DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources |
TALVEZ ISSO POSSA ajudar OS USUÁRIOS Sonets e Dolphin parágrafo Este Pequeno Passo .
O ARQUIVO zip em anexo Contém, parágrafo CADA version golfinho (D7.0.0-D7.1.4) OS Arquivos Originais E os Arquivos com o patch.
- d7XY (nome da pasta, Por Exemplo, D709)
-
Você. temperatura Opaco Select a SUA version de Golfinhos, EM SEGUIDA, Fazer o carregamento da pasta "Administração" na Raiz fazer Seu local.
LEMBRE-SE, backup Fazer Você. also PODE de Seu ARQUIVO "profiles.php" se POR sândalo Motivo Você. figado costumizado. Disso de Além, § o "ORIGINAL" pasta existem OS Arquivos Padrão de SONETS (a version CADA).
Esperamos Que ISSO PODE SALVAR o Seu ritmo!
Thanks ilbellodelweb!!
|
