Ok boonex, I am really glad to see that you are trying to make Dolphin as secure as possible. Well, you did it (claps). Unfortunately, you have disabled the ability to do some of the simplest things such as:
- Edit categories
- Add a simple HTML block (which is actually a feature in Dolphin)
- Edit email templates
- Add OpenSocial URLS
- And so many more (just search the froums)
So here is my questions/requests to you:
1) Can you give us the option to disable the feature causing this? (of course understanding the risks)
2) Can you make it where this feature DOES NOT apply to the Administrator?
3) Can you modify the security feature to not block every little thing we try to do?
Of course, out of the 3 questions above, I would prefer #2 or #3, however I would almost be willing to task a risk for #1 and just add additional precautions to the join process, commenting, etc.
I do understand that if you have a VPS or a dedicated server, that you can always disable the mod_security feature and not have this issue. But I'm sure not everyone has this ability (at least I don't).
Any feedback or help on this would be greatly appreciated.
P.S. I am NOT downloading that modified security.inc.php file :)
Thanks,
Chris
1. If you modify/upgrade to allow members to create custom profile fields then you'll have issues. D6 is customizable for this (Anton for one has a mod for it).
2. TinyMCE if upgraded will more than likely cause issues. For exmample if you upgrade to TinyMCECompact versus a base TinyMCE the security feature is more than likely not set for this.
3. If you were to install CKEditor (Superior product) then more see more
Total impact: 34
Affected tags: xss, csrf, id, rfe, lfi
Variable: REQUEST.body | Value: 5p72gR <a href=\"http://mqszfeikipzn.com/\">mqszfeikipzn</a>, [url=http://thoygjfifwrn.com/]thoygjfifwrn[/url], see more
http://www.boonex.com/trac/dolphin/ticket/1467
http://www.boonex.com/unity/forums/topic/Are-you-still-getting-Possible-Attacks-Try-This-.htm