??DolphinPro 7 Security Alert. ACTION REQUIRED. ??

I become a mail today with a security alert.

but the code changes make me feel suspect... 

Is this a real message or a fake mail, to build in a backdoor?

And ist this good code?  is ((isset(1))?'1':'2') not better?

Hi Webby0815!

This is an urgent announcement for everyone using DolphinPro 7.0.2 and all newer versions. An SQL injection vulnerability was found in flash/modules/chat/inc/actions.inc.php file and needs to be fixed immediately.

• If you can, please use instructions below to apply the fix immediately.
• If you are hosting your site with us on a Boonex plan and need help with this fix, please reply to this email (or write to team@boonex.com) to arrange access to your site. We will apply the fix for you as soon as we get the authorisation from you.

INSTRUCTIONS (3 changes)

All changes are in flash/modules/chat/inc/actions.inc.php file.

1. Change the following (near ~121 line):

case 'RzSetBlocked':

   $sUser = isset($_REQUEST['user']) ? $_REQUEST['user'] : "";

to the following:

case 'RzSetBlocked':

    $sUser = isset($_REQUEST['user']) ? process_db_input($_REQUEST['user']) : "";

2. Change the following (near ~137 line):

case 'RayzSetMembershipSetting':

    $sKey = isset($_REQUEST['key']) ? $_REQUEST['key'] : "";

    $sValue = isset($_REQUEST['value']) ? $_REQUEST['value'] : "";

to the following:

case 'RayzSetMembershipSetting':

    $sKey = isset($_REQUEST['key']) ? process_db_input($_REQUEST['key']) : "";

    $sValue = isset($_REQUEST['value']) ? process_db_input($_REQUEST['value']) : "";

3. Change the following (near ~166 line):

$iCurrentTime = time();

$sSex = isset($_REQUEST['sex']) ? $_REQUEST['sex'] : "M";

$sAge = isset($_REQUEST['age']) ? $_REQUEST['age'] : "25";

to the following:

$iCurrentTime = time();

$sSex = isset($_REQUEST['sex']) ? process_db_input($_REQUEST['sex']) : "M";

$sAge = isset($_REQUEST['age']) ? process_db_input($_REQUEST['age']) : "25";

NOTE:

We are working on the new DolphinPro package, which includes this fix as well as a number of other improvements. It may still be weeks away from being production-ready, so please, don't wait and apply this fix now.

Thank you!

Boonex Team

This is a real message, and these changes should be applied. We've already emailed our own customers and have been updating sites both at Zarconia and on BoonEx subscriptions.

 What about sites that are not using the chat module at all?

This is real, I also contacted the Boonex team & it has been confirmed..

One thing tho, this bug states:  "An SQL injection vulnerability was found in flash/modules/chat/inc/actions.inc.php  "
but it would be helpful to know what the vulnerabilities are if the SQL injection does take place on my site before I apply this patch ?  Are they going to steal members info ? Hijack the site ? what are the potential consequences ?

Thx. 

Good point @newton27  !

Just to state I tried this change and it did not work, after 3 atempts had to finally resort to a back up copy I had of the original

Good to know @quantum. This is one of the reasons I asked what potential vulnerabilities are if we don't apply the patch now..

Also, what if I am using Chat+ rather than the old flash Chat ? is this worth it ?

We need some answers from the Boonex team please.. 

While the file with the vulnerability is in place, the problem exists. 

We will not disclosure any more details for now for the security reasons, after about 2 weeks we'll be able to provide more info upon the request.