Security Problems!

Boonex

Product: Dolphin CMS v7.0.9

Exploitation-Technique:

=======================

Remote

Severity:

=========

High

Details:

========

Multiple persistent input validation vulnerabilities are detected in the

Boonex Dolphin CMS v7.0.9 content management system.

The bugs allow remote attackers to implement/inject malicious script

code on the application side (persistent). The vulnerabilities

are located in the user profile Map location name & listing but also in

the unsanitized album (gallery) name & output listings.

The CMS itself allows via management function to publish vulnerable

albums (name) & profiles (location) (Public, Me, Share & Co)

which impacts a high risk. Remote attackers can exchange the persistent

malicious script code after the inject with the users

profile or album share functions. Exploitation requires low user inter

action & low privileged user account. Successful exploitation

of the vulnerability can lead to session hijacking (manager/admin) or

stable (persistent) context manipulation.

Vulnerable Location(s):

[+] Profile [Location] - Location Name & Listing

[+] Album (Gallery) - Album Name & Listing

Vulnerable Module(s):

[+] disignBoxFirst

[+] boxContent > dbContent

Vulnerable Parameter(s):

[+] dbTitle

[+] bx_map_curr_loc

Proof of Concept:

=================

The persistent vulnerabilities can be exploited by remote attackers with

low required user inter action. For demonstration or reproduce ...

I left this part out..

Solution:
=========
2012-05-17: Vendor Fix/Patch

Note: Publicly available release v7.1.0 - Changeset 16256
Updates: http://www.boonex.com/trac/dolphin/changeset/16256

If your still running 7.0.9 site like me, it seems Boonex has failed to warn us of this problem.

The posted solution to the problem is to upgrade to 7.1, I cannot do that on certain sites without loosing money and members..

There is no way i can move my site to 7.1. It has far too much custom work that do not intend to pay for again.... Petrhaps boonex should come up with a better solution to this....

Those changes are not 7.1 specific. The change set you posted is from the 7.0 branch.

So just apply the changes to 7.0.9.

I did.

 When did you apply them? Just now, because my sites need the changes!

Off I go.. 

When did you apply them? Just now, because my sites need the changes!
Yes

 OK, I just had to update five sites.

Shouldn't we have been informed of this a bit better?

BoonEx said before that they don't want to announce vulnerabilities until enough people have applied a patch or new version with the fixes.  However, this changeset is 8 months old...

Well it wasn't too hard to find the damn article. Was doing a simple search,

https://www.google.com/search?hl=en&newwindow=1&q=boonex+vulnerability&btnG=Search

http://www.securityfocus.com/archive/1/523122/100/800/threaded

You say most members updated, I didn't and I've been here three years and never was informed of this.

I do remember the fiasco when 7.0 - 7.0.7 came out full of holes.

If I missed this important update to the system, then I know many, many more missed this as well. 

We send newsletter with this security alert:

26 July 2012 

Copy/paste text from newsletter:

Dolphin 7.0.9 Security Update  

The current stable version - Dolphin 7.0.9 has been reported to have a security issue which may affect your site in some very special circumstances. Although odds of the attack are relatively low we recommend a prompt update of your site code to fix the vulnurability. Dolphin 7.1 has this vulnerability fixed, but since it isn't released yet we decided to publish this temporary workaround.

Instructions:

Step 1. Find file: /inc/classes/BxDolFilesModule.php 
locate code (near line 315): 
$sCaption = _t('_' . $this->_oConfig->getMainPrefix() . '_browse_by_' . $sParamName, process_pass_data($sParamValue)); 
replace with:
$sCaption = _t('_' . $this->_oConfig->getMainPrefix() . '_browse_by_' . $sParamName, htmlspecialchars_adv(process_pass_data($sParamValue)));

Step 2. Find file: /modules/boonex/files/classes/BxFilesModule.php 
locate code (near line 150): 
$sCaption = _t('_' . $this->_oConfig->getMainPrefix() . '_browse_by_' . $sParamName, process_pass_data($sParamValue)); 
replace with:
$sCaption = _t('_' . $this->_oConfig->getMainPrefix() . '_browse_by_' . $sParamName, htmlspecialchars_adv(process_pass_data($sParamValue)));

Step 3. Find file: /modules/boonex/map_profiles/classes/BxMapModule.php
locate code (near line 842): 
'text' => $r['address'] ? $r['address'] : _t('_bx_map_the_same_address'),
replace with:
'text' => $r['address'] ? htmlspecialchars_adv($r['address']) : _t('_bx_map_the_same_address'), 

Save changes and rock on!