The "Possible Attack" Headache

Zarcon posted 15th of November 2009 in Community Voice. 8 comments.

Ok boonex, I am really glad to see that you are trying to make Dolphin as secure as possible. Well, you did it (claps). Unfortunately, you have disabled the ability to do some of the simplest things such as:


- Edit categories

- Add a simple HTML block (which is actually a feature in Dolphin)

- Edit email templates

- Add OpenSocial URLS

- And so many more (just search the froums)

So here is my questions/requests to you:

1) Can you give us the option to disable the feature causing this? (of course understanding the risks)

2) Can you make it where this feature DOES NOT apply to the Administrator?

3) Can you modify the security feature to not block every little thing we try to do?

Of course, out of the 3 questions above, I would prefer #2 or #3, however I would almost be willing to task a risk for #1 and just add additional precautions to  the join process, commenting, etc.

I do understand that if you have a VPS or a dedicated server, that you can always disable the mod_security feature and not have this issue. But I'm sure not everyone has this ability (at least I don't).

Any feedback or help on this would be greatly appreciated.

P.S. I am NOT downloading that modified security.inc.php file  :)

Thanks,

Chris

 
Comments
·Oldest
·Top
Please login to post a comment.
mauricecano
Add create custom profile fields, unless your editing the profile with custom fields as an administrator, it will cause the Possible attack.
mydatery
However, we will still have issues with this under the following circumstances:

1. If you modify/upgrade to allow members to create custom profile fields then you'll have issues. D6 is customizable for this (Anton for one has a mod for it).

2. TinyMCE if upgraded will more than likely cause issues. For exmample if you upgrade to TinyMCECompact versus a base TinyMCE the security feature is more than likely not set for this.

3. If you were to install CKEditor (Superior product) then more see more than likely it'll kick also.


We need to take another look at this, currently this has a major issue still that needs to be addressed and we need to look at all the potential issues that can come up and work with them to resolve it across the board.
mallorca
I for myself wasnt on my site today. And because it is hidden for the public, nothing was done from a human I think. I got around 7 different possible attack emails while doing nothing. Then I got the 8 one and that looks curious for me. Have someone a idea for this one? I copy in:

Total impact: 34
Affected tags: xss, csrf, id, rfe, lfi

Variable: REQUEST.body | Value: 5p72gR <a href=\"http://mqszfeikipzn.com/\">mqszfeikipzn</a>, [url=http://thoygjfifwrn.com/]thoygjfifwrn[/url], see more [link=http://qkqfvtbnyhcj.com/]qkqfvtbnyhcj[/link], http://fnyomuubvtmj.com/
Impact: 17 | Tags: xss, csrf, id, rfe, lfi
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20
Description: Detects obfuscated script tags and XML wrapped HTML | Tags: xss | ID: 33
Description: Detects url injections and RFE attempts | Tags: id, rfe, lfi | ID: 61

Variable: POST.body | Value: 5p72gR <a href=\"http://mqszfeikipzn.com/\">mqszfeikipzn</a>, [url=http://thoygjfifwrn.com/]thoygjfifwrn[/url], [link=http://qkqfvtbnyhcj.com/]qkqfvtbnyhcj[/link], http://fnyomuubvtmj.com/
Impact: 17 | Tags: xss, csrf, id, rfe, lfi
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: Detects JavaScript language constructs | Tags: xss, csrf, id, rfe | ID: 20
Description: Detects obfuscated script tags and XML wrapped HTML | Tags: xss | ID: 33
Description: Detects url injections and RFE attempts | Tags: id, rfe, lfi | ID: 61

REMOTE_ADDR: 204.62.8.128
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
buckmcgoo
Wow, that is the only one I have seen that was something that needed to be blocked.. it looks like link spam but I don't see what file it was trying to access. It looks like something they would have hit guestbook.php with.
AlexT
Please report your errors in the forum, all the problems will be investigated and fixed, for exact fixes refer to the ticket:
http://www.boonex.com/trac/dolphin/ticket/1467
houstonlively
Now that there are email notifications of hacking attempts, we'll see just how much the bad guys like Dolphin sites.
Eli
Nothing special as i still have possible attack when i add facebook widget script to Html Block in the homepage ! and also the builder profile field in admin area stil loading forever and now i got possible attack if you try to join as couple :)
Zarcon
As AlexT has requested, I have started a forum for all of us to log their Attack issues in. Please see the following post:
http://www.boonex.com/unity/forums/topic/Are-you-still-getting-Possible-Attacks-Try-This-.htm
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.049116849899292