Attack of custom profile fields!

Reply·Subscribe
mauricecano
mauricecanoPremium
1327 posts
0
 

This is horrible

 

It is impossible to make any customized profile fields because boonex thinks its an attack if the users actually try to change them.  Boonex these possible attacks are greater than high priority.  Get your security right and stop this nonsense.  We want users to be able to customize thier profile without admins getting the below email or worse.

 

I make the customized profile fields and test it with the test profile.  I get the following email.  However, when I change the custom profile field with the admin, boonex will accept the change and update the profile accordingly.  Fix this now.

 

Total impact: 12
Affected tags: sqli, id, lfi

Variable: REQUEST.sensored.0 | Value: 2\"
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42

Variable: POST.sensored.0 | Value: 2\"
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42
Quote · 15 Nov 2009
MichelSwiss
MichelSwissAdvanced
1062 posts
0
 

Ticket added (generic): http://www.boonex.com/trac/dolphin/ticket/1467

Life is a fatal disease, sexually transmissible - Virginity is carcinogenic! Ask here for vaccine.
Quote · 15 Nov 2009
AlexT
AlexTNavigator
6101 posts
0
 

This problem has been fixed in 13237 and 13238 revision

Rules → http://www.boonex.com/terms
Quote · 16 Nov 2009
mauricecano
mauricecanoPremium
1327 posts
0
 

Did the changeset and still get this error when using custom profile fields.  I cleaned the cache and my browser cache to make sure.

 

Total impact: 12
Affected tags: sqli, id, lfi

Variable: REQUEST.sensored.0 | Value: 2\"
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42

Variable: POST.sensored.0 | Value: 2\"
Impact: 6 | Tags: sqli, id, lfi
Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42
Quote · 16 Nov 2009
Eli
EliAdvanced
870 posts
0
 

The same prob here , cleaned all the cach and db and js and clear my browser , i even thinked to restore my computer ( lol joke ) yea guys nothing changed , the possible attack is the only thing that Annoye me and eveyone here .

Please fix it and better test it in your admin area befor we test it lol

Peace and bread .

Proud Hosted by Zarconia.net
Quote · 16 Nov 2009
mauricecano
mauricecanoPremium
1327 posts
0
 

bumps

Quote · 16 Nov 2009
houstonlively
houstonlivelyBosun
6808 posts
0
 

For some reason, that email content brought me to tears.. rofl

My opinions expressed on this site, in no way represent those of Boonex or Boonex employees.
Quote · 16 Nov 2009
mauricecano
mauricecanoPremium
1327 posts
0
 

shh.... can't tell you what project I"m on but fixed it.

Quote · 16 Nov 2009
houstonlively
houstonlivelyBosun
6808 posts
0
 

RE: shh.... can't tell you what project I"m on but fixed it.

Pretty sneaky edit.

My opinions expressed on this site, in no way represent those of Boonex or Boonex employees.
Quote · 17 Nov 2009
Reply ›
 
 
Home
Features
Pricing
Hosting
Support
About
StartDemo
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.

Blogs

Dolphin.Pro News
BoonEx News
Our Journey
Social Software World
Community Voice

Help

Support Forums
Documentation
BoonEx at GitHub
Knowledge Base
Contact Support Team

Product

Dolphin.Pro Features
Live Demo & Sandbox
Download Packages
Pricing & Order
Contact Sales Team

Company

Contact Us
About BoonEx
Privacy Policy
Terms & Conditions
© BoonEx Pty Ltd