Context Navigation

← Previous Ticket
Next Ticket →

Ticket #1467 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

Possible Attack in many places

Reported by:	MichelSwiss	Owned by:	AlexT
Priority:	major	Milestone:	Dolphin 7.0 (Hookie) RC 2
Keywords:	attack	Cc:

Description

http://www.boonex.com/unity/forums/#topic/Possible-attack-when-trying-to-edit-profile.htm http://www.boonex.com/unity/forums/#topic/Attack-of-custom-profile-fields-.htm http://www.boonex.com/unity/forums/forum/Dolphin-Betas-And-RCs-0.htm#topic/Possible-attack-Email-Templates-d7RC.htm http://www.boonex.com/unity/forums/forum/Dolphin-Betas-And-RCs-0.htm#topic/Possible-attack-when-post-blog-d7RC.htm

Change History

comment:1 Changed 2 years ago by AlexT

Fixed in the 13237 revision. Waiting for more reports...

comment:2 Changed 2 years ago by AlexT

Fixed in 13238 rev.

comment:3 Changed 2 years ago by AlexT

After applying above fixes, clear 'cache' and 'tmp' directories then reinstall one of these modules:

ads
articles
avatar
blog
events
feedback
files
forum
groups
news photos
poll
sites
sounds
store
videos

To apply changes in email templates, and try to add/change/delete some profile field in admin panel to apply changes for profile fields.

comment:4 Changed 2 years ago by AlexT

Another little fix in 13244 rev.

comment:5 Changed 2 years ago by AlexT

and 13245 rev

comment:6 Changed 2 years ago by AlexT

New fix: http://www.boonex.com/trac/dolphin/changeset/13259

After this fix please clean /cache/ directory and reinstall one of these modules:

ads
articles
avatar
blog
events
feedback
files
forum
groups
news photos
poll
sites
sounds
store
videos

Two new security options were added in Administration -> Settings -> Advanced Settings -> Other. Now you can control when to just send mail about possible attack and when to stop aggressor. There is an impact number, if impact is high(> 25) then security risk is high too.

comment:7 Changed 2 years ago by AlexT

Since main sql file was changed in the last fix, you need to run the following sql script manually to apply changes to your database:

INSERT INTO `sys_options` VALUES('sys_security_impact_threshold_log', '9', 3, 'Total security impact threshold to send report', 'digit', '', '', 0, '');

INSERT INTO `sys_options` VALUES('sys_security_impact_threshold_block', '27', 3, 'Total security impact threshold to send report and block aggressor', 'digit', '', '', 0, '');

After this sql script is executed you need to clean /cache/ directory.

comment:8 Changed 2 years ago by AlexT

small fix: 13275

comment:9 Changed 2 years ago by AlexT

Owner changed from somebody to AlexT

comment:10 Changed 2 years ago by AlexT

small fix: 13295

comment:11 Changed 2 years ago by AlexT

Status changed from new to closed
Resolution set to fixed

Note: See TracTickets for help on using tickets.

Download in other formats: