IMPORTANT. Dolphin 6.1.4 Security Patch Release

VictorT posted 25th of July 2008 in . 31 comments.

The new 6.1.4 Security patch is released this week! Last week we found one in Dolphin and have been keeping an eye on the whole situation with hacks by checking and gathering information. Everything looked fine until today when we found a new vulnerability in Orca.

This is the XSS vulnerability: Orca allows inserting malicious code into a new topic title.

This is a very easy and quickly applied patch, so please apply this patch using these instructions.

 
Comments
·Oldest
·Top
Please login to post a comment.
HikeMaster
Thanks for the quick action!
sammie
nice and easy update, thank you team, nice to see you are on the ball now.
They should all be so easy. Thanks for the patch.
theGhost
groups/orca/ would have never thought.... glad I know how to follow instructions...Most of the time :) Thanks VictorT
Juker
Victor,

Thank you for jumping on these problems! Again you impress me with your sincerity to provide the community with not only functional but also secure software.

Good Job!

Juker
Nighto2007
Thank you Victor

The patch work fine

thank you for this hard work for make big dolphin script :)

regards
Rawaf
http://www.a7lakalam.com
gr8chirag
I have upgraded with 6.1.4 but still getting this message from the date of site problems recently with regard to globals settings
Warning: main([path_to]inc/header.inc.php): failed to open stream: No such file or directory in /home/jaijine/public_html/periodic/cupid.php on line 21

Fatal error: main(): Failed opening required '[path_to]inc/header.inc.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/jaijine/public_html/periodic/cupid.php on line 21

before this message never used see more to come..now everyday around 30 to 40 messages are sent from server to our id...

Kindly advice..
gameutopia
Well I don't know how this could change but you might check:
/periodic/cupid.php

Line 21 find: Should say something like:
require_once( '/home/jaijine/public_html/inc/header.inc.php' );

Possibly you don't have the correct path to the file in cupid.php in
this case "[path_to]inc/header.inc.php

You need to make the path_to part the actual path. Which the script
sets itself to during installation.

Sounds like you do not actually have the path set at all. Like I said
I don't know see more how this would happen unless you restored the file from
the original .zip file which didn't have this info written to it yet.

If so be sure to check the others too:
/periodic/cmd.php
/periodic/cupid.php
/periodic/notifies.php

Also:
/inc/header.inc.php

And:
ray/modules/global/inc/header.inc.php

To verify that all paths are correctly set.
Topher
I disagree with this patch, and funny, this was caught by me almost 8 months ago, in orca 1.2 - if you add this patch, it allows certain tags to be included in the title text, this is a problem, who wants an image or what not as a title - try it :) - this is the correct fix, without changing forum.php - in utils.inc.php - change:
function prepare_to_db(&$s, $iAllowHTML = 1)
{
if ($iAllowHTML){ cleanPost($s);
}
to:
function prepare_to_db(&$s, $iAllowHTML = 1)
{
if ($iAllowHTML){cleanPost($s);}else{strip_tags($s);}
}

This see more fix will strip ALL html out of the title --- much nicer...

:)

I posted this somewhere a WHILE ago...
gr8chirag
The new version of 6.1.4 is having following errors..
(1) if you have made any id from admin, it will not appear in the general list of members...

(2) Visitors cant see the original size of photos..as the action button even after activating from admin panel, does not show the action menu.....if you are not logged in or you are a visitor...

(3) Alignment problems in pages.....in firefox the photo, video, music pages drift towards the left hand side and in internet explorer the same are not see more at all aligned as they were in the previous version...

(4) In groups while posting, if you are doing copy and paste....and changing the font and size..the same does not take effect.. it also does not take the original fonts..

(5) Music files starts immediately whereas video files take lot of time in starting whereas in 6.1.1 they used to start immediately..

(6) From the promo flash on homepage, default images comes again and again after deleting also from admin panel.

(7) Profile voting cant be done by visitors...this function was there in the 6.1.1

(8) Tags appear in the profile page, but are not active. no link is with them....

Any one with solution to the above will be a gr8 help for the following religious site..

Ref : www.jai-jinendra.com
AndreyP
Ohh :)
many of issues of this list not issues
6.1.4 have just replacements global $dir to constants, and passing input params from forms to make script more safe, not more

2. photo gallery (share), yes, visitors can`t perform any actions, need login

6. Promo, first, this is not flash, second, recheck also your media\images\promo\original\ folder

7. yes, impossible to put vote by visitors, and it was done many times ago, .. possible even for 6.1.0
gr8chirag
what about group posting and page alignment...and inactive tag..u have not replied with regard to them...
bss1
After installing 6.1.3 and 6.1.4, on trying to compile Orca language I am getting error "Language files compilation have been failed. Please check folders permissions."

All level 1 folders under /orca/ are set to 777.

Same problem with /groups/orca/

Can someone please guide on solving this issue.
bss1
Folder permissions are:
/orca/ 777
/orca/cachejs 777
/orca/classes 777
/orca/conf 777
/orca/inc 777
/orca/js 777
/orca/layout 777
/orca/log 777
/orca/xml 777

Are there any further level folders within /orca/ that needs changing permissions?
jackedLi
thanks for the update
triuneity
I completed the install and now have this error instead of my site.

Fatal error: Call to undefined function: getrayintegrationjs() in /home/triuneit/public_html/inc/admin_design.inc.php on line 324

What is the problem? Any help would be great!
Juker
My Site Is Being Hacked!

I have 70 active members and on Sunday night 10 members disappeared, on Monday night another 10 members disappeared, on Tuesday I began rebuilding and added 12 new members for a total of 62 and on Tuesday night 25 members disappeared. On Wednesday I removed all of the members except nine from my website and this morning (Thursday) one of the nine is missing.

When I installed the patch 6.1.4 I tried to recompile the language files but for /groups/orca or for /orca I see more get a "Failure To Recompile" error message and I can no longer recompile languages.

Can anyone help with the virus attack?

Thanks
Juker
Attention Boonex Community - Hacker Alert!

No Password on your site is safe. My member passwords are being bypassed and all membership information is being systematically deleted. I have temporarily changed the status of my remaining existing members to unconfirmed and the hacker cannot see them. Change your memberships to unconfirmed until this hacker attack is eliminated.

I want to give the Boonex team the benefit of the doubt. I think they are working hard to beat down these hackers and see more my problem may be a new problem not covered by the patches.

Juker
shaneed
I also got the same problem. My members profiles are disappearing suddenly. It is weird, but i don't think is a hack attack, but just a misconfiguration. I looked into the Database pruning from the admin panel, and the profiles by last login would be to be deleted after 180 days from the last login. I changed that to "0" (zero) and everything looks ok now, after i re-inserted the profiles from my backup. I'm not sure if my member profiles will remain after i will switch that in future... see more Whatever, Boonex having a look over this issue may clear this for us. Perhaps is a bug!?
Juker
Hi Shaneed - I changed from 180 days to 0 days and I want to thank you for the help. When I lost the first 10 profiles I changed passwords on the remaining 60 members. This should have reset the database pruning 180 day rule but the profiles were deleted anyway. Like you say, this is a very wierd problem. I think it is a bug than can hack or bypass your password and delete your files.
Juker
Hi,

I haven't lost any more members since switching the deletion to 0 days. It is a configuration problem and I thank you for pointing out the solution.

God Bless,

Juker
buzznot
eyeway KMD keeps hacking sites with there mod installs. Watch out once you give them your host login info to do the mods they get your ftp info and keep hacking it. Thanks goes out to Mike for such a good team he is working with.
Not sure about the patch, but I have latest release and patch and my entire site has been compromised and hacked. Not good.
Ivo
Hello BOONEX:

Someone went into my database in past few days and DELETED ALL PUBLIC_HTML content !!!

Which means my website has become totally deleted !!!

Forunatelly, I was able to restore it with the help of my hosting provider, but it is huge BLAM for you guys...!

Since only your Tech Support had all te passwords required for going into my database, I ask you to investigate this case immediatelly and give me an explanation!
sherth
I have latest release and patch and my entire site has been compromised and hacked, too.
beatlemanu
I have had the same thing happen. My host recommended that I ask Boonex for help because they say my site is very vulnerable.
Stellman2003
xsl url ?>
Warning: Cannot modify header information - headers already sent by (output started at /home/comunida/public_html/orca/layout/uni_en/params.php:14) in /home/comunida/public_html/orca/inc/util.inc.php on line 36

Warning: Cannot modify header information - headers already sent by (output started at /home/comunida/public_html/orca/layout/uni_en/params.php:14) in /home/comunida/public_html/orca/inc/util.inc.php on line 37

Warning: Cannot modify header information - headers already see more sent by (output started at /home/comunida/public_html/orca/layout/uni_en/params.php:14) in /home/comunida/public_html/orca/inc/util.inc.php on line 38

Warning: Cannot modify header information - headers already sent by (output started at /home/comunida/public_html/orca/layout/uni_en/params.php:14) in /home/comunida/public_html/orca/inc/util.inc.php on line 39

Warning: Cannot modify header information - headers already sent by (output started at /home/comunida/public_html/orca/layout/uni_en/params.php:14) in /home/comunida/public_html/orca/classes/en/BxXslTransform.php on line 61
Juker
This patch 6.1.4 has wrecked our forum and Boonex support can not or will not fix it. After a month of back and forth with them we are appealing to any one who can fix this problem. When we try to recompile the language files for /groups/orca or for /orca we get a [L[Language files compilation have been failed]] error message.

The last suggestion Boonex gave us is to have your system administrator update the libxsl library on your server. Well we don't have a system administrator and we don't see more know what the libxsl library is and apparently Boonex is not going to step up and fix the problem without passing the buck back to us.

Any help will be greatly appreciated.
pokystud
MIne too and I stopped using Dolphin because of it. Sorry guys I can't afford getting in trouble due to abuse reports coming in on my accounts on my servers. This should have been taken care of before the 6.1.4 was released. I host at Hostforweb on a vps server and they tell me boonex has to take care of the issure meanwhile I shut down my domains that where running Dolphin and all of its programs, addon's and so fourth.
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.082932949066162