I become a mail today with a security alert.
but the code changes make me feel suspect...
Is this a real message or a fake mail, to build in a backdoor?
And ist this good code? is ((isset(1))?'1':'2') not better?
Hi Webby0815!
This is an urgent announcement for everyone using DolphinPro 7.0.2 and all newer versions. An SQL injection vulnerability was found in flash/modules/chat/inc/actions.inc.php file and needs to be fixed immediately.
- If you can, please use instructions below to apply the fix immediately.
- If you are hosting your site with us on a Boonex plan and need help with this fix, please reply to this email (or write to team@boonex.com) to arrange access to your site. We will apply the fix for you as soon as we get the authorisation from you.
INSTRUCTIONS (3 changes)
All changes are in flash/modules/chat/inc/actions.inc.php file.
1. Change the following (near ~121 line):
case 'RzSetBlocked':
$sUser = isset($_REQUEST['user']) ? $_REQUEST['user'] : "";
to the following:
case 'RzSetBlocked':
$sUser = isset($_REQUEST['user']) ? process_db_input($_REQUEST['user']) : "";
2. Change the following (near ~137 line):
case 'RayzSetMembershipSetting':
$sKey = isset($_REQUEST['key']) ? $_REQUEST['key'] : "";
$sValue = isset($_REQUEST['value']) ? $_REQUEST['value'] : "";
to the following:
case 'RayzSetMembershipSetting':
$sKey = isset($_REQUEST['key']) ? process_db_input($_REQUEST['key']) : "";
$sValue = isset($_REQUEST['value']) ? process_db_input($_REQUEST['value']) : "";
3. Change the following (near ~166 line):
$iCurrentTime = time();
$sSex = isset($_REQUEST['sex']) ? $_REQUEST['sex'] : "M";
$sAge = isset($_REQUEST['age']) ? $_REQUEST['age'] : "25";
to the following:
$iCurrentTime = time();
$sSex = isset($_REQUEST['sex']) ? process_db_input($_REQUEST['sex']) : "M";
$sAge = isset($_REQUEST['age']) ? process_db_input($_REQUEST['age']) : "25";
NOTE:
We are working on the new DolphinPro package, which includes this fix as well as a number of other improvements. It may still be weeks away from being production-ready, so please, don't wait and apply this fix now.
Thank you!
Boonex Team