Severe security issues

Hi there,

I have found some severe security issues within dolphin which makes it in mind impossible to us

it for professional use:

- cookie injection attacks are possible in Dolphin for index.php (I may tell more by PM to boonex itself)

- cross-site scripting attacks are possible for index.php (I may tell more by PM to boonex itself)

- if I encrypt calls for the administration/index.php or member.php with SSL logging in isnt possible anymore.

Without SSL its possible without a problem.

- the use of 'crossdomain.xml'  within dolphin is a security risk. See: http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html

IMHO boonex has to work hard to solve these issues . Without possible SSL-encrypted login and personal data the use of Dolphin in a profesional environment is out of the question. Also: nobody would pay big $$$ for Dolphin as mentioned in the clip on the boonex website if they find these issues hidden in the Dolphin code. 

Regards

nilico

If there are actual severe security issues in the script, you should contact BoonEx immediately, rather than making a topic and only offering to contact them if requested.

Hi again,

I have sent Mr. boon the issues and i will make them public to show that they are real:

[Magnussoft: I'd recommend against post security exploits for the public to see.]

Hope it will get atlest some attention now.

Regards,

nilico

i wonder ... are there any updates? or action taken? or tickets logged?

Will this be continued? ...

Hello everyone,

the XSS issue got adressed by AlexT and he assured me that they will be adressed in the 7.0.6 release.

They will try to release it as sooon as possible. For the time being he sugested to turn on magic_quotes_gpc

within the php settings. That does not fix the whole in full, but it gives a bit more of security till 7.0.6.

Hope that helps anyone waiting for information.

Regards,

nilico

I thought Dolphin 7 went through a bunch of security checks prior to being released?

I've always wondered the results of those audits. I've seen a lot of security-related fixes over the months, which suggests to me it wasn't very thorough (the audits).

question is if there were really some audits :-) Friend of mine make an online accounting software here in CZ (well known one) and on his website there is a several sentences and highlights about large security audits on his software - but I know there actually wasnt any real audit .. so its a bit questionalbe if boonex really did an audit or of that was just a purpose to get more sales and attention - I cant judge it I just wanted say many people do this ...

Are these issues fixed now?

I just found this in the crossdomain.xml file of 7.0.9

<?xml version="1.0"?><cross-domain-policy><allow-access-from domain="*" /></cross-domain-policy>

According to lots security websites, this opens up to all cross-site request forgeries.

Isn't it possible to limit this just to the domain?

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
    <allow-access-from domain="yourdomain.com" />
    <allow-access-from domain="*.yourdomain.com" />
</cross-domain-policy>