??DolphinPro 7 Security Alert. ACTION REQUIRED. ??

I become a mail today with a security alert.

 

but the code changes make me feel suspect... 

Is this a real message or a fake mail, to build in a backdoor?

And ist this good code?  is ((isset(1))?'1':'2') not better?

 

Hi Webby0815!

This is an urgent announcement for everyone using DolphinPro 7.0.2 and all newer versions. An SQL injection vulnerability was found in flash/modules/chat/inc/actions.inc.php file and needs to be fixed immediately.

  • If you can, please use instructions below to apply the fix immediately.
  • If you are hosting your site with us on a Boonex plan and need help with this fix, please reply to this email (or write to team@boonex.com) to arrange access to your site. We will apply the fix for you as soon as we get the authorisation from you.

INSTRUCTIONS (3 changes)

All changes are in flash/modules/chat/inc/actions.inc.php file.

1. Change the following (near ~121 line):


case 'RzSetBlocked':

   $sUser = isset($_REQUEST['user']) ? $_REQUEST['user'] : "";

to the following:


case 'RzSetBlocked':

    $sUser = isset($_REQUEST['user']) ? process_db_input($_REQUEST['user']) : "";

2. Change the following (near ~137 line):

case 'RayzSetMembershipSetting':

    $sKey = isset($_REQUEST['key']) ? $_REQUEST['key'] : "";

    $sValue = isset($_REQUEST['value']) ? $_REQUEST['value'] : "";

to the following:


case 'RayzSetMembershipSetting':

    $sKey = isset($_REQUEST['key']) ? process_db_input($_REQUEST['key']) : "";

    $sValue = isset($_REQUEST['value']) ? process_db_input($_REQUEST['value']) : "";

3. Change the following (near ~166 line):

$iCurrentTime = time();

$sSex = isset($_REQUEST['sex']) ? $_REQUEST['sex'] : "M";

$sAge = isset($_REQUEST['age']) ? $_REQUEST['age'] : "25";

to the following:

$iCurrentTime = time();

$sSex = isset($_REQUEST['sex']) ? process_db_input($_REQUEST['sex']) : "M";

$sAge = isset($_REQUEST['age']) ? process_db_input($_REQUEST['age']) : "25";

NOTE:

We are working on the new DolphinPro package, which includes this fix as well as a number of other improvements. It may still be weeks away from being production-ready, so please, don't wait and apply this fix now.

Thank you!

Boonex Team

--Germany-- Sorry for my bad english :P
Quote · 20 Jun 2016

This is a real message, and these changes should be applied. We've already emailed our own customers and have been updating sites both at Zarconia and on BoonEx subscriptions.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 20 Jun 2016

 

This is a real message, and these changes should be applied. We've already emailed our own customers and have been updating sites both at Zarconia and on BoonEx subscriptions.

 What about sites that are not using the chat module at all?

ManOfTeal.COM a Proud UNA site, six years running strong!
Quote · 20 Jun 2016

This is real, I also contacted the Boonex team & it has been confirmed..

One thing tho, this bug states:  "An SQL injection vulnerability was found in flash/modules/chat/inc/actions.inc.php  "
but it would be helpful to know what the vulnerabilities are if the SQL injection does take place on my site before I apply this patch ?  Are they going to steal members info ? Hijack the site ? what are the potential consequences ?

Thx. 

Quote · 20 Jun 2016

Good point @

Quote · 20 Jun 2016

Just to state I tried this change and it did not work, after 3 atempts had to finally resort to a back up copy I had of the original

Quote · 20 Jun 2016

Good to know @quantum. This is one of the reasons I asked what potential vulnerabilities are if we don't apply the patch now..

Also, what if I am using Chat+ rather than the old flash Chat ? is this worth it ?

We need some answers from the Boonex team please.. 

Quote · 20 Jun 2016

While the file with the vulnerability is in place, the problem exists. 

What about sites that are not using the chat module at all?

 

Rules → http://www.boonex.com/terms
Quote · 20 Jun 2016

We will not disclosure any more details for now for the security reasons, after about 2 weeks we'll be able to provide more info upon the request. 

what the vulnerabilities are if the SQL injection does take place on my site before I apply this patch ?  Are they going to steal members info ? Hijack the site ? what are the potential consequences ?

 

Rules → http://www.boonex.com/terms
Quote · 20 Jun 2016
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.