Are you still getting Possible Attacks? Try This.

AlexT commented on my blog post and has created some file revisions via ticket:

http://www.boonex.com/trac/dolphin/ticket/1467

Please check out the following revisions and see if these help. I have not had a chance to load these, so any feedback is greatly welcome. Also, if this does NOT fix your errors. Please continue to post your errors as detailed as possible (what are you doing that causes the possible attacks) in this forum so that we can continue to update AlexT.

Here are the change sets:

1st - http://www.boonex.com/trac/dolphin/changeset/13237

2nd - http://www.boonex.com/trac/dolphin/changeset/13238

Thanks,

Chris

For those of you who want to download the whole file instead of trying to edit each one (since some files are modified more that once), go to the bottom of the page and choose to download in zip format. This will download the whole file for you to upload and overwrite.

**** Please make sure to make backups before overwriting.

When changing any mail template we get possible attack message. I tried

http://www.boonex.com/trac/dolphin/changeset/13237

http://www.boonex.com/trac/dolphin/changeset/13238

fixes, but still not working.

the same as here even if with the fixes i still get possible attack when i try modify the Profile fields--->fields builder--->couple to Email ( it doesn't accept any change and it doesn't save the changes i do )

----->Sex to Prophile photo ( the same )

------>Captcha to termsofuse( the same)

And email sent like this : Possible attack :

Total impact: 8
Affected tags: xss, csrf, id, rfe

Variable: REQUEST.Desc | Value: Select \"Couple\" if you are joining as a couple
Impact: 4 | Tags: xss, csrf, id, rfe
Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20

Variable: POST.Desc | Value: Select \"Couple\" if you are joining as a couple
Impact: 4 | Tags: xss, csrf, id, rfe
Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20

REMOTE_ADDR: xxxxxxxxxxxxxxxxx
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:

This fix here----> trunk/administration/nav_menu_compose.php

Cause this when i upload it to the administration :

Parse error: syntax error, unexpected T_REQUIRE_ONCE in /home/xxxxx/public_html/administration/nav_menu_compose.php on line 30

As for adding a Facebook script (fan widget) to the _html block it does cause Possible Attack and sometimes it even lock me outside the admin panel or even the site .

As for navigation menu if i go to VIDEO and want to change anything there and save it , it does keep LOADING forever and ever and a possible attack :

Total impact: 10
Affected tags: dt, id, lfi

Variable: REQUEST.Link | Value: modules/?r=videos/home/|modules/?r=videos/
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11

Variable: POST.Link | Value: modules/?r=videos/home/|modules/?r=videos/
Impact: 5 | Tags: dt, id, lfi
Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID: 11

REMOTE_ADDR: xxxxxxxxxxxxxxxxxxx
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:

This is all guys , i suffer only from those erros if fixed , my site will be in a perfect order hopefully .

Thanks .

Eli

Peace and Bread.

Thanks everyone for testing. Lets keep it going so AlexT has something to work with.

Did both changsets and still get the attack message on custom profile fields.

Total impact: 12
Affected tags: sqli, id, lfi

Variable: REQUEST.Cocksize.0 | Value: 2\"
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42

Variable: POST.Cocksize.0 | Value: 2\"
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42

Just to make sure it doesn't get missed, Has anyone tried adding a HTML block after the revisions? I know it was giving possible attacks, but since I am not home right now, I have no way of testing the revisions.

Thanks.

Chris

Chris , yes i still got the problem even after the revision , If add  Fan Facebook script (widget) to the _html Block i got Possible ATTAck . If i add Google search script i don't get any possible attack .

Am lost ! not sure what's wrong with Facebook fun widget , as it show fine in the main home page but if i choosed to move to the Forum or any of top menu section right away i got POSSIBLE attack ...

Am sure you did try it befor and if u got back home try it and you will see by your self.

Peace and bread.

Eli

Hey Eli, Thats how I found the attack myself, by adding a Facebook widget. I am curious to find out if it's because the widgets are using the <script> function and *.js files thats causing the problems.

Am not an experienced guy in codes and html but let say because of javas or what ever so is that mean are we not going to add any scripts in the future , are we going to be limited in dolphin ?

I think Html block is one of the most important function in the CMS management and that help a lot customizing web sites and so on .

Let see what will happen next !

Also i still get many possible attack as i stated in this forum ... and one of the fix give me error , when you have time Chris have a look by your self and let them know ... your english better then mine :)

Peace and html block lol

Eli

After applying fixes, clear 'cache' and 'tmp' directories then reinstall one
of these modules:

ads
articles
avatar
blog
events
feedback
files
forum
groups
news photos
poll
sites
sounds
store
videos

To apply changes in email templates, and try to add/change/delete some profile field in admin panel to apply changes for profile fields.

Other small fixes are in 13244 and 13245 revisions.

Thank you for testing and reporting.

I did what you said for profile fields, i took some off and deleted some and made new ones to no avail.  The same issue.

Please provide email with report

Here is the output

Total impact: 12
Affected tags: sqli, id, lfi

Variable: REQUEST.sensored.0 | Value: 7\"
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42

Variable: POST.sensored.0 | Value: 7\"
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42

I did a little more fiddling and here is what is causing the problem.

The html block is a profile field, selector with a predefined list of 2", 3", 4", 5" and so forth.  It is the apperance of special characters within the predefined block that is causing the attack error. In this case it is the " that causes the problem.  When I remove them it works fine without an error.

Same issue with height if you make a predefined list inside the html block itself (i.e. 6'2"), the ' and " will cause the PA error.  Now, if you make a predefined list with values and have use the L2key to say 6'2" the possible attack does not appear so long as no special characters appear within the html block options themselves.

Edit: just tested this. If you use special characters in the html block description you will also get a possible attack.  In this case I tried to use ()

Ok I tried the fixes and was still not able to add a HTML block. I tried to add a facebook widget. Here is the code:

<script src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US" type="text/javascript"></script><script type="text/javascript">FB.init("a7d280f20c716eb89df84838b7fde559");</script>

And here is the email:

Total impact: 12

Affected tags: sqli, id, lfi

Variable: REQUEST.fbsetting_a7d280f20c716eb89df84838b7fde559 | Value: {\&quot;connectState\&quot;:2,\&quot;oneLineStorySetting\&quot;:3,\&quot;shortStorySetting\&quot;:3,\&quot;inFacebook\&quot;:false}

Impact: 6 | Tags: sqli, id, lfi

Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Variable: COOKIE.fbsetting_a7d280f20c716eb89df84838b7fde559 | Value: {\&quot;connectState\&quot;:2,\&quot;oneLineStorySetting\&quot;:3,\&quot;shortStorySetting\&quot;:3,\&quot;inFacebook\&quot;:false}

Impact: 6 | Tags: sqli, id, lfi

Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43 Centrifuge detection data Threshold: 3.49 Ratio: 2.5

REMOTE_ADDR: xx.xx.xx.xx

HTTP_X_FORWARDED_FOR:

HTTP_CLIENT_IP:

Hey AlexT, can you take a look at this and tell me what you think?

I tried to clear cache, reinstalled modules, modified profile filds and fixes:

http://www.boonex.com/trac/dolphin/changeset/13244

http://www.boonex.com/trac/dolphin/changeset/13245

and still have a problems with email templates.

"Possible attack!!! All data has been collected and sent to the site owner for analysis."

Text of a error:

http://wklej.org/id/207919/

I don't know if i have to go through all those fixes as it seems has no effect on this Possible attack ! I think i d better and wait to see what alex last word :)

Peace and bread ... I don't want to damage my site and start from new lol

Eli

Anything new ? is it was fixed as Alex claim ?

Keep us updated .

Thanks.

Eli

Since mine were caused by only one profile field using speical characters I removed them and made a predefined table with language key settings with special characters, that fixed my issue and I'm golden now.

Alex,

The change the nav_menu_compose.php to the changes included in the changeset makes the nav_menu_compose.php come up as a blank page.  I had ot comment out the change to get it to appear.

Mauricecano, have you tried adding a HTML block. This seems to cause possible attacks too. For instance, I pasted the code for  facebook widget and got a possible attack.

I haven't tried doing an HTML Block just yet, I'm spending time customizing the profile field blocks but will soon be adding html blocks when I install my wiki.

Any updates or suggestion on this fix yet? AlexT ?

I tested adding HTML blocks to the homepage and elsewhere after doing all the changes.  They appear to work correctly and not throw PA errors.

Mauricecano, Can you try adding this facebook widget and see if you get a PA error?

<script src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US" type="text/javascript"></script><script type="text/javascript">FB.init("a7d280f20c716eb89df84838b7fde559");</script>

Did it, didn't get a PA error however the only thing that appeared was a blank collpased html box (see picture)

New fix: http://www.boonex.com/trac/dolphin/changeset/13259

After this fix please clean /cache/ directory and reinstall one of these modules:


ads
articles
avatar
blog
events
feedback
files
forum
groups
news photos
poll
sites
sounds
store
videos



Two new security options were added in Administration -> Settings -> Advanced Settings -> Other. Now you can control when to just send mail about possible attack and when to stop aggressor. There is an impact number, if impact is high(> 25) then security risk is high too.

I notice in the last fix there is a new DB script for a new install.  My question that is there an update script if we already have an install out there or are we SOL?

Thanks!

Never mind, I found the changes.

Do i have to do a new install ? because i ve seen there's a new file for mysql --->trunk/install/sql/v70.sql !

when you mean reinstall one of these modules , do you mean all the modules in green color or just one of them !

thanks ,

Eli .

Did you try browse your site after seen this empty html block ? because if you did move to another section there where you can have PA ! but if you just pop up to the main page and back to the admin area you will not have PA attack at all !

Yes I went to the site as not logged in.  I saw the page with the html block, I logged in (non admin user) and browsed around on the home page, went to other profiles to view, saw some videos, etc.  Never received a PA.  I'm not saying you don't, I'm just reporting my experience.

Also AlexT, open social is reporting PA's when you put in different script urls.  I made a separate  post on it but want to put it in here in case your monitoring this thread.

Do i have to do a new install (am talking about the latest alexT fix in this thread) ? because i ve seen there's a new file for mysql --->trunk/install/sql/v70.sql !

when you mean reinstall one of these modules , does he mean all the modules in green color or just one of them !

thanks ,

Eli .

Since main sql file was changed in the last fix, you need to run the following sql script manually to apply changes to your database:

INSERT INTO `sys_options` VALUES('sys_security_impact_threshold_log', '9', 3, 'Total security impact threshold to send report', 'digit', '', '', 0, '');

INSERT INTO `sys_options` VALUES('sys_security_impact_threshold_block', '27', 3, 'Total security impact threshold to send report and block aggressor', 'digit', '', '', 0, '');

After this sql script is executed you need to clean /cache/ directory.

one of them

has anyone got an easy way to do this? I am getting the attack messages as well, especially when i try and change the email templates.

Does anyone know if the fix will be implemented in RC2?

I put in the latest changeset fixes.  Open social still does not work but the email spam when trying to add a module no longer occurs.

Also, even with this fix, the nav_menu_compose change still displays a blank page.  I have to take out the new security lines to use the nav builder.

I just ran the 13259fix and it bypassed all of the PA attacks.  It will still throw emails but at least you can configure it.  Thanks AlexT

Can someone give me a quick rundown on where in Cpanel i can run the database update scripts? I have some experience but ZERO experience with mySql & phpmyadmin

Log into phpmyadmin -->  click the database on the left --> click SQL tab on the top -->  past the two insert statements into the box and hit run.  Do not run the entire install script or it will wipe everything.

Open cpanl, click on phpMyAdmin which will open a database interface.  Click on your database from the left colum (ex. dolphin_rc1).  Youw ill now see a listing of all your tables.  From the right frame click on the SQL tab.  That will bring up a window where you can input the code.  put it in exactly as shown in each box and nothing more.  click on Go and it will execute the code.

badabing! Thanks guys. Just needed to be pointed.....

LOLOL! At least now it saves the email template changes before it sends the Attack Warning.... I guess that's a step in the right direction

OMG, It works. It would be really nice if we could get all the updated files and scripts to run in one donwloadable zip format. I had to do some SQL restoring after going through all the updates. But hey, it was worth it.

Thanks Alex

Chris

I don't get no more possible attack in the navgation menu and it start saving properly thanks chris for pointing the rev 44 and 45 and thanks to alexT things are getting better .

But i still get the possible attack while adding the facebook script that's only one of the major problem i have , the rest nothing .

Can you chris confirm pls if it's fixed in your side ? because if yes then maybe am doing something wrong here .

Thanks .

Eli.

still getting a myriad of emails from my site, problem is, I have NO idea what they mean. this is 1 of the 5 latest:

Total impact: 12
Affected tags: sqli, id, lfi

Variable: REQUEST.fIM_userConfig | Value: {\&quot;enableAudio\&quot;:true,\&quot;enableTimestamp\&quot;:false}
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Variable: COOKIE.fIM_userConfig | Value: {\&quot;enableAudio\&quot;:true,\&quot;enableTimestamp\&quot;:false}
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Centrifuge detection data  Threshold: 3.49  Ratio: 2.5

REMOTE_ADDR: 70.155.214.201
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME: /home2/thechur3/public_html/profile.php
QUERY_STRING: ID=favicon.ico
REQUEST_URI: /favicon.ico
QUERY_STRING: ID=favicon.ico
SCRIPT_NAME: /profile.php
PHP_SELF: /profile.php

I also got a HUGE database error message but it is WAY to big to post. If anyone knows anything or wouldn't mind looking at it, I will forward the email. Please help!

yeah well i get possible attack on the last step of the install so dont fell bad.  then i get this when i delete the install folder.  Fatal error: Cannot apply localization......

Yeah I was still getting the possible attack emails after adding the facebook widget, but it was not "locking" me from the site. Try this:

Two new security options were added in Administration -> Settings -> Advanced Settings -> Other. Now you can control when to just send mail about possible attack and when to stop aggressor. There is an impact number, if impact is high(> 25) then security risk is high too.

Above the setting for locking the member at 25 impact, there is another option (total security impact threshold to send report) that is set to 9 by default. In order to add the facebook widget and NOT get the possible attack email, change the 9 to 13 and the emails will stop. This is because the script is producing a impact of 12. Once you change it to 13, the emails will stop.

Chris

I've seen the two new option added in the admin area ( advanced seetings) that will help lot .

Just one more thing befor i will proceed with facebook widget and follow your instruction , i want to know when you add the facebook widget and you want to navigate away from the home page is it does show up Possible attack in your admin area as for the browser or not ?

Because that kill me man when it does show in both , and to get away from it i have to go to cpanel ---> inc--->classes---> delet the BXDOLEAMAILTEAMPLATE.php and replace it with a new one for i can stop it from blocking me moving around !

So please can you let me know if you can navigate away in your site without any problem while the facebook widget is there and fully function :)

Thanks lot for your help .

Eli.

Peace and bread.

No it didnt for me. All it was doing was sending me Possible Attack emails. Once I bumped the setting from 9 to 13, those stopped too. Make sure that you have applied ALL fixes listed in this forum.

Chris

Please add ';' sign at the end of the following string:

$aBxSecurityExceptions[] = 'REQUEST.Link'

so the result will look like:

$aBxSecurityExceptions[] = 'REQUEST.Link';

in nav_menu_compose.php file

 What directory will we find this file in??

I have applied all of the above and I still get possible attack emails, 34 overnight alone. I checked my nav_menu_compose.php file and everything is ok there. Any ideas?

Thanks in advance!!

Stuart

The nav_compose now works for me.

Check my blog post here:

http://www.boonex.com/unity/blog/entry/Possible_Attack_Fix_All_In_One_Download

It wont hurt for you to double check :)

Chris