Last week my Dolphin install had a number of issues so DolphinGeeks took it down to do some repairs (still under repair). During this time, I'm not sure what caused it, but users tried to get onto the site via their profile pages and the program gave them a screen with several error messages then included a huge mySQL database dump. In the first five lines of the dump, it had "user name" and "password" followed by my mySQL password information!
This is horrible! A huge flaw with the program, if it goes down like that, users should not have access to the main database password. I've never seen anything like that ever before in the years I've been using mySQL, and I'm not that good with databases, but still have never seen that ever!
DolphinGeeks emailed me last night telling me they couldn't log into the ftp. So I tried it this afternoon, and I couldn't either. So then I tried going in via the CPanel, and no luck either! Luckily I have shell access to my dedicated server, via Arvixe, and I was able to go in and change the password. Now it all works.. So something happened, and I'm not too password retrieval hacker savvy, so while I can't say for sure it was because of that Dolphin Database dump, but my passwords were different and now my flags and suspicions are high.
Has anyone had something like this happen?
|
I consider this a bug, thats why I posted it here, please let me know if I should've posted it elsewhere. |
This is a (somewhat) known issue, and I agree, it's unacceptable. This is the number-one reason why I have not yet launched any web sites to the public which run on Dolphin 7.
I wouldn't be surprised if your account information was compromised via this method, especially since your database access passwords are the same as your other passwords by default when using Arvixe.
Not allot of people seem to know if it, though, which is why when I call Dolphin 7 a "ticking time bomb," I'm not joking. It literally is, because the second you suffer a certain database error, you will have all your sensitive information at the fingertips of whoever sees it. And if this is a public web site, that can be anyone.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
This is a (somewhat) known issue, and I agree, it's unacceptable. This is the number-one reason why I have not yet launched any web sites to the public which run on Dolphin 7.
I wouldn't be surprised if your account information was compromised via this method, especially since your database access passwords are the same as your other passwords by default when using Arvixe.
Not allot of people seem to know if it, though, which is why when I call Dolphin 7 a "ticking time bomb," I'm not joking. It literally is, because the second you suffer a certain database error, you will have all your sensitive information at the fingertips of whoever sees it. And if this is a public web site, that can be anyone.
and why is it that way?... because people forget to disable the error reporting
|
and why is it that way?... because people forget to disable the error reporting
Tick.
Tick.
Tick.
Boom.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
with notepad create a file called phperr.txt and upload it to the folder /inc/
now add this to your php.ini settings
display_errors = Off display_startup_errors = Off log_errors = On error_log = /home/content/your/path/html/inc/phperr.txt error_reporting = E_ALL
make sure u change the path :)
now all the errors will be saved to that file so you can view it anytime all your users get to see is database error and nothing else
|
with notepad create a file called phperr.txt and upload it to the folder /inc/
now add this to your php.ini settings
display_errors = Off display_startup_errors = Off log_errors = On error_log = /home/content/your/path/html/inc/phperr.txt error_reporting = E_ALL
make sure u change the path :)
now all the errors will be saved to that file so you can view it anytime all your users get to see is database error and nothing else
In my opinion, the script shouldn't be chuggin' out such information in the first place.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
OMG, see this is why a manual is needed, little things like this really need to be known and not hidden deep in the forums!
Thank you Prolaznik and Magnussoft!
|
Thanks for this post...I was planning on launching a D7 version to the public next week, now I may hold off....thanks for the script as well! |
LOL> Great idea to protect your info but I learned one thing. Ya gotta keep an eye on that file, especially on how big it gets over time. I just found mine during my move/upgrade and the damned thing has grown to over 400 megs!! So big I'm gonna have to download it to have a gander.... http://towtalk.net ... Hosted by Zarconia.net! |
RE;
LOL> Great idea to protect your info but I learned one thing. Ya gotta keep an eye on that file, especially on how big it gets over time. I just found mine during my move/upgrade and the damned thing has grown to over 400 megs!! So big I'm gonna have to download it to have a gander....
Thanks for checking into this thread. See you again in another three years?
My opinions expressed on this site, in no way represent those of Boonex or Boonex employees. |