This weekend our Dolphin 6.1 site's entire membership was spammed by a phishing scammer, by abusing the "Get E-mail" function. If you have this function enabled, I strongly suggest you delete it. I suppose some more corporate sites might still have use for it, but for a social network or dating site, it's very bad news.
The phisher found our site by a Google search for "boonex dating sites and member profiles." That shows this is a known exploit by at least one spammer out there. Looking at the logs and the timestamps on the spam I got on my first account and recent test account's emails, the phisher signed up and proceeded to use the "Get E-mail" function on every single profile, by hand.
I was under the impression that the "Get E-mail" function queried a user if they would like to exchange e-mails automatically. It does not. A user who clicks this button is sent the other user's e-mail address immediately!
So this is a warning to all, you probably want to nuke this function from existence as it can be a big security flaw to your users' contact data.
As per other threads suggestions, in addition to simply disabling the functionality in the admin panel's membership levels, you can use the "anonymous mode" on the Advanced Settings to remove the button entirely (I'm unsure if that is all anonymous mode does, no threads seem to clarify if it does more). You can even go so far as to edit the relevant inc file to remove the related code.
|
Yep, get rid of that feature or disable it. Best bet is to delete the code so no one can see or use it. |
Did you have it limited at all? Could even a new member at the lowest membership levels get all the emails he wanted. I am curious if this is really a flaw, or if it just wasn't configured quite right. |
Count me in on this answer.....
Did you have it limited at all? Could even a new member at the lowest membership levels get all the emails he wanted. I am curious if this is really a flaw, or if it just wasn't configured quite right.
|
Well, my co-admin and I consider it needs a big warning. First, the fact that there's someone out there searching for Boonex Dolphin sites to exploit this on shows the spam community is taking advantage of it. Second, as I said, I'm rather surprised the function works as it does - I thought it would query the user if they wanted the e-mail released.
Limited? As in the limits you can perform in the admin panel? Have you actually tried those? They don't work! I've tried every combination I can think of to limit blogs, and as other threads suggested, classifieds. Neither works; I'm betting the rest don't either.
Perhaps by limit you meant limited to paid users. Well, if your site is big enough and your paid membership cost is reasonable...what's the going rate for e-mails now days?
As I briefly alluded to, the only possible case I can think of, and it's a bit of a stretch, is a corporate-oriented site where companies can allow users to get their e-mails for business correspondence - but they want an extra layer of protection from spam as opposed to simply putting their e-mail right in the HTML of their profile, thus limiting casual programs from lifting their addresses for spam.
I'm with PhillyChris and several others from other "Get E-mail" threads. People new to Dolphin need to know that most of the time this function is very bad news.
|
@cal et al
it is 100% a flaw,i have removed that feature from quite a few sites, because there is absolutely no reason to have that function on any site.
from any members profile, you are able to grab their personal email address. i surely thought i had posted this before.
yes its a flaw 100%, and dangerous one at that.
Regards,
DosDawg
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
- A ton of discussion and noone bothers to just state what the solution is. After all, it's really not that difficult to dump this option off a site and be done with it forever. Of course, it seems that it's more fun for some to just talk about how it's a huge mistake to even code this into Dolphin. I guess that displays what some people are really here for.
Now, for those of you who want to get rid of this permanently you need to do the following:
1. Go to your Dolphin Root install and delete the following file (you can rename it if you like)
That will completely render the URL that obtains the e-mail addy as useless. This takes care of the hackers who don't need a button to click to obtain the e-mail (you know, the ones who know what url to type into the browser)
Next up, we dump the button completely and forever from the Actions Menu. Not really that hard to do either.
1. Open the following file(s):
- templates/base/scripts/BxBaseProfileView.php
2. Locate the following code:
- if ( !$this -> oTemplConfig -> bAnonymousMode )
$ret .= $oTemplMenu -> getActionsMenuItem( 'action_email.gif', _t('_Get E-mail'), "javascript:void(0);", '', '', "window.open( 'freemail.php?ID=$profileID', '', 'width={$this -> oTemplConfig -> popUpWindowWidth},height={$this -> oTemplConfig -> popUpWindowHeight},menubar=no,status=no,resizable=no,scrollbars=yes,toolbar=no,location=no' );" );
3. Replace it with:
- //if ( !$this -> oTemplConfig -> bAnonymousMode )
//$ret .= $oTemplMenu -> getActionsMenuItem( 'action_email.gif', _t('_Get E-mail'), "javascript:void(0);", '', '', "window.open( 'freemail.php?ID=$profileID', '', 'width={$this -> oTemplConfig -> popUpWindowWidth},height={$this -> oTemplConfig -> popUpWindowHeight},menubar=no,status=no,resizable=no,scrollbars=yes,toolbar=no,location=no' );" );
(Your really just commenting it out, you can delete it if you like)
Now your done, there is no button and no link/url that is functional to obtain the e-mail without directly hacking the server. I know, it would of been way to hard to just tell readers how to do this vs. taking the time to complain about it, after all, complaining is so much more of an effective use of your time.
And no, this is not a flaw, it is something that was coded directly into Dolphin, I'm sure at the request of someone as it was in Development/Beta phase.
|
@cal et al
it is 100% a flaw,i have removed that feature from quite a few sites, because there is absolutely no reason to have that function on any site.
DosDawg
Well, Linkedin, to give you one example, has something like it for their paying accounts. I'm not a big fan of this feature either, but I don't think this is a "flaw" in the sense that it is a bug - I think it was designed so that certain membership levels would have access to email. The "attack" that happened was apparently from a registered user who had these permissions for his membership level. Technically the site wasn't hacked.
|
Sorry that I've struck a chord, and I wasn't posting this to complain, but as a strongly worded FYI to new users. We just got another user snooping around through Google this week for a "boonex dating site" to exploit this. And yes, it's not a hack, it's exploiting the site functionality. It sure was a surprise to us, and I just want to help other new users from finding out the hard way.
I just get the feeling most people here are using this software as a dating site or social network where this function doesn't belong. Yes, LinkedIn is an example of a corporate site that could possibly have use for something like this.
Thanks for those additional steps mydatery. If the site is put in anonymous mode, then a user could still use the direct URL to freemail.php?
|
Hi,
Thanks for the advice, but do you know how to do it in Dolphin 7?
Thanks,
Osama Katanani
- A ton of discussion and noone bothers to just state what the solution is. After all, it's really not that difficult to dump this option off a site and be done with it forever. Of course, it seems that it's more fun for some to just talk about how it's a huge mistake to even code this into Dolphin. I guess that displays what some people are really here for.
Now, for those of you who want to get rid of this permanently you need to do the following:
1. Go to your Dolphin Root install and delete the following file (you can rename it if you like)
That will completely render the URL that obtains the e-mail addy as useless. This takes care of the hackers who don't need a button to click to obtain the e-mail (you know, the ones who know what url to type into the browser)
Next up, we dump the button completely and forever from the Actions Menu. Not really that hard to do either.
1. Open the following file(s):
- templates/base/scripts/BxBaseProfileView.php
2. Locate the following code:
- if ( !$this -> oTemplConfig -> bAnonymousMode )
$ret .= $oTemplMenu -> getActionsMenuItem( 'action_email.gif', _t('_Get E-mail'), "javascript:void(0);", '', '', "window.open( 'freemail.php?ID=$profileID', '', 'width={$this -> oTemplConfig -> popUpWindowWidth},height={$this -> oTemplConfig -> popUpWindowHeight},menubar=no,status=no,resizable=no,scrollbars=yes,toolbar=no,location=no' );" );
3. Replace it with:
- //if ( !$this -> oTemplConfig -> bAnonymousMode )
//$ret .= $oTemplMenu -> getActionsMenuItem( 'action_email.gif', _t('_Get E-mail'), "javascript:void(0);", '', '', "window.open( 'freemail.php?ID=$profileID', '', 'width={$this -> oTemplConfig -> popUpWindowWidth},height={$this -> oTemplConfig -> popUpWindowHeight},menubar=no,status=no,resizable=no,scrollbars=yes,toolbar=no,location=no' );" );
(Your really just commenting it out, you can delete it if you like)
Now your done, there is no button and no link/url that is functional to obtain the e-mail without directly hacking the server. I know, it would of been way to hard to just tell readers how to do this vs. taking the time to complain about it, after all, complaining is so much more of an effective use of your time.
And no, this is not a flaw, it is something that was coded directly into Dolphin, I'm sure at the request of someone as it was in Development/Beta phase.
|
Sorry that I've struck a chord, and I wasn't posting this to complain, but as a strongly worded FYI to new users. We just got another user snooping around through Google this week for a "boonex dating site" to exploit this. And yes, it's not a hack, it's exploiting the site functionality. It sure was a surprise to us, and I just want to help other new users from finding out the hard way.
I just get the feeling most people here are using this software as a dating site or social network where this function doesn't belong. Yes, LinkedIn is an example of a corporate site that could possibly have use for something like this.
Thanks for those additional steps mydatery. If the site is put in anonymous mode, then a user could still use the direct URL to freemail.php?
In free mode yes, unless you follow ALL the steps to disable the button and shut down the URL for those hackers/spammers or whatever you want to call them that know the URL to type in. By deleting the file it will be completely useless across the board with or without the button.
|
Bumped for a couple of people. They know who they are. |
The below is not valid for dolphin 7, do you know the code need to be changed for it?
. Locate the following code:
- if ( !$this -> oTemplConfig -> bAnonymousMode )
$ret
.= $oTemplMenu -> getActionsMenuItem( 'action_email.gif', _t('_Get
E-mail'), "javascript:void(0);", '', '', "window.open(
'freemail.php?ID=$profileID', '', 'width={$this -> oTemplConfig
-> popUpWindowWidth},height={$this -> oTemplConfig ->
popUpWindowHeight},menubar=no,status=no,resizable=no,scrollbars=yes,toolbar=no,location=no'
);" );
3. Replace it with:
- //if ( !$this -> oTemplConfig -> bAnonymousMode )
//$ret
.= $oTemplMenu -> getActionsMenuItem( 'action_email.gif', _t('_Get
E-mail'), "javascript:void(0);", '', '', "window.open(
'freemail.php?ID=$profileID', '', 'width={$this -> oTemplConfig
-> popUpWindowWidth},height={$this -> oTemplConfig ->
popUpWindowHeight},menubar=no,status=no,resizable=no,scrollbars=yes,toolbar=no,location=no'
);" );
|
|
