mySQL password security flaw

Last week my Dolphin install had a number of issues so DolphinGeeks took it down to do some repairs (still under repair). During this time, I'm not sure what caused it, but users tried to get onto the site via their profile pages and the program gave them a screen with several error messages then included a huge mySQL database dump. In the first five lines of the dump, it had "user name" and "password" followed by my mySQL password information!

This is horrible! A huge flaw with the program, if it goes down like that, users should not have access to the main database password. I've never seen anything like that ever before in the years I've been using mySQL, and I'm not that good with databases, but still have never seen that ever!

DolphinGeeks emailed me last night telling me they couldn't log into the ftp. So I tried it this afternoon, and I couldn't either. So then I tried going in via the CPanel, and no luck either! Luckily I have shell access to my dedicated server, via Arvixe, and I was able to go in and change the password. Now it all works.. So something happened, and I'm not too password retrieval hacker savvy, so while I can't say for sure it was because of that Dolphin Database dump, but my passwords were different and now my flags and suspicions are high.

Has anyone had something like this happen?

Quote · 25 Mar 2010

I consider this a bug, thats why I posted it here, please let me know if I should've posted it elsewhere.

Quote · 25 Mar 2010

This is a (somewhat) known issue, and I agree, it's unacceptable. This is the number-one reason why I have not yet launched any web sites to the public which run on Dolphin 7.

I wouldn't be surprised if your account information was compromised via this method, especially since your database access passwords are the same as your other passwords by default when using Arvixe.

Not allot of people seem to know if it, though, which is why when I call Dolphin 7 a "ticking time bomb," I'm not joking. It literally is, because the second you suffer a certain database error, you will have all your sensitive information at the fingertips of whoever sees it. And if this is a public web site, that can be anyone.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 25 Mar 2010

This is a (somewhat) known issue, and I agree, it's unacceptable. This is the number-one reason why I have not yet launched any web sites to the public which run on Dolphin 7.

I wouldn't be surprised if your account information was compromised via this method, especially since your database access passwords are the same as your other passwords by default when using Arvixe.

Not allot of people seem to know if it, though, which is why when I call Dolphin 7 a "ticking time bomb," I'm not joking. It literally is, because the second you suffer a certain database error, you will have all your sensitive information at the fingertips of whoever sees it. And if this is a public web site, that can be anyone.

and why is it that way?... because people forget to disable the error reporting

Quote · 25 Mar 2010

and why is it that way?... because people forget to disable the error reporting

Tick.

Tick.

Tick.

Boom.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 25 Mar 2010



with notepad create a file  called phperr.txt and upload it to the folder /inc/



now add this to your php.ini settings

display_errors = Off
display_startup_errors = Off
log_errors = On
error_log = /home/content/your/path/html/inc/phperr.txt
error_reporting = E_ALL

make sure u change the path :)

now all the errors will be saved to that file so you can view it anytime all your users get to see is database error and nothing else

Quote · 25 Mar 2010



with notepad create a file  called phperr.txt and upload it to the folder /inc/



now add this to your php.ini settings

display_errors = Off
display_startup_errors = Off
log_errors = On
error_log = /home/content/your/path/html/inc/phperr.txt
error_reporting = E_ALL

make sure u change the path :)

now all the errors will be saved to that file so you can view it anytime all your users get to see is database error and nothing else

In my opinion, the script shouldn't be chuggin' out such information in the first place.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 25 Mar 2010

OMG, see this is why a manual is needed, little things like this really need to be known and not hidden deep in the forums!

Thank you Prolaznik and Magnussoft!

Quote · 25 Mar 2010

Thanks for this post...I was planning on launching a D7 version to the public next week, now I may hold off....thanks for the script as well!

Quote · 25 Mar 2010

LOL> Great idea to protect your info but I learned one thing. Ya gotta keep an eye on that file, especially on how big it gets over time. I just found mine during my move/upgrade and the damned thing has grown to over 400 megs!! So big I'm gonna have to download it to have a gander....

http://towtalk.net ... Hosted by Zarconia.net!
Quote · 16 Nov 2012

 RE;

LOL> Great idea to protect your info but I learned one thing. Ya gotta keep an eye on that file, especially on how big it gets over time. I just found mine during my move/upgrade and the damned thing has grown to over 400 megs!! So big I'm gonna have to download it to have a gander....

 Thanks for checking into this thread.  See you again in another three years?

My opinions expressed on this site, in no way represent those of Boonex or Boonex employees.
Quote · 16 Nov 2012
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.