IMPORTANT. Dolphin 6.1.3 Security Patch Release

Awesome work Victor, thanks to all who created this wonderful software. I am installing the new dolphin as we speak. Hope this stops most of those mean hackers..urghhh

Thanks Victor! But could you support a Dif of the files? Cause my site is heavily moded, so i have to know what is changed to the original once.
Or maybe i dont have to use this, cause my registerd_globals are setted to off, this means i dont need it, right?

Cheers,
Jerry

Works like a charm, glad to see some of the bugs fixed too thank you team boonex i know you worked hard to get this done as quickly as possible. and it was a huge job.

just to clarify, although this patch makes it safer for dolphin site on hosts with register globals on. boonex still recommend, (as it is much safer all round) to choose a host with register globals off.

Thanks Victor,

That was quick easy and painless... now let's see what the hackers do to counter.

hello VictorT,

many thanks from germany!

I thank you also Victor for your efforts on behalf of us all

Big thanks for the patch....

On another but related subject... I checked my 'cache' folder and found a sub-folder named "PPP" which contains two "acct.php" and "index.html" files.

Are these normal? I have tried to download a copy and delete the files from my server but i can't do it.

Also, I have deleted the files under the 'cache' folder" just for my own security measure. is this OK.

Please advise.

I get the following error when I try to compile the ORCA language file. (I changed EVERY file and folder in ORCA to 777 and still get this message)

Warning: fopen(/MYSITE/orca/conf/params.conf): failed to open stream: Permission denied in /MYSITE/orca/inc/util.inc.php on line 263

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 36

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 37

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 38

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/inc/util.inc.php on line 39

Warning: Cannot modify header information - headers already sent by (output started at /MYSITE/orca/inc/util.inc.php:263) in /MYSITE/orca/classes/en/BxXslTransform.php on line 61

I got the same errors as first writer... and deleting the the file you advized has not effect...

Thanks for the patch. Can I also suggest you stop promoting Host For Web since they have register globals on by default.

Can you tell me where I can fin d the security patch please. I cannot find the link anywhere.

Its in the top blog post. They are calling it an upgrade from 6.1.2 to 6.1.3. It seems if you run an earlier version you arent covered. For security reasons they recommend you have the latest version.

Oke now get strange things... I can't login to my own admin center after the patch, not only the same errors like Hakknslash, but also to admin login. I fill in my data and it say's "wating" and returns to index.php login.

I use firefox 3... Dolphin updated from 6.1.2 to 6.1.3 before the patch no problems...

Thank you!

Thanks for the patch.

I am getting this:

Warning: require_once(BX_DIRECTORY_PATH_INCprofiles.inc.php) [function.require-once]: failed to open stream: No such file or directory in /home/connect/public_html/admin/index.php on line 26

Fatal error: require_once() [function.require]: Failed opening required 'BX_DIRECTORY_PATH_INCprofiles.inc.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/connect/public_html/admin/index.php on line 26

And this under Orca

Warning: require_once(BX_DIRECTORY_PATH_ROOTgroups/orca/layout/uni/params.php) [function.require-once]: failed to open stream: No such file or directory in /home/connect/public_html/groups/orca/xml/config.php on line 89

Fatal error: require_once() [function.require]: Failed opening required 'BX_DIRECTORY_PATH_ROOTgroups/orca/layout/uni/params.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/connect/public_html/groups/orca/xml/config.php on line 89

Help!

Stuart

and I cannot access Admin

Help!

Stuart

Hello, personnel boonex, I update my dolphin to 6.1.3, even taking register_globals, off? I have doubts!

Thanks for the patch Victor.

I built a brand new Dolphin upgraded all the way from 6.1.1 to 6.1.3 had no problems. Forgot to update the header.inc.php and guess what error I got :) Updated language files no problem. I am currently running RG_off.

When I did the upgrade on GGsite all went fine but I am still being punched :) IT DID tweek the attack thou...I'll send you the Log File. Still No Infections!

do we need to apply this patch even if we download the latest version today and start a fresh website ?

Hello AndreyP

files are:
define('BX_DIRECTORY_PATH_INC', $dir['inc']);
define('BX_DIRECTORY_PATH_ROOT', $dir['root']);
define('BX_DIRECTORY_PATH_BASE', $dir['base']);
define('BX_DIRECTORY_PATH_CACHE', $dir['cache']);
define('BX_DIRECTORY_PATH_CLASSES', $dir['classes']);
define('BX_DIRECTORY_PATH_PLUGINS', $dir['plugins']);

Stuart

Ok, problem solved!!

Stuart

I forgot to upload the modified inc/headerinc.php file!!

Thanks for the patch and update guys!! Just a thought though not everyone reads the blogs or has email notifications. If a security update is involved you might think about or consider other ways to push it to people. I've emailed a few people and they were not even aware of counting this patch the last 2 or further.

I am glad I do follow these blogs. Thanks for the updates!!

The upgrades have busted my Orca css again so all my line breaks have gone in all my Orca Forum posts! Man this is FRUSTRATING! Sometimes feel like I'm banging my head against a wall.

thanks Victor

it's great ... I upgraded my site successfully

my site work fine

best regards
Rawaf
http://www.a7lakalam.com

If my register globals are OFF, do i have to appy for this patch???

Thanks Victor and the Boonex team,

Am I the only one or can we all sense the entire community coming together because of this problem? I am really proud to be a part of this movement.

Kudos to DosDawg who has been working tirelessly in the forums to help as many as he can.

Juker

Hello Victor, I think the Patsch toll, although we do not need this Patsch, but I think that many users use the Web space is difficult and have their server right to use, very helpful.

I'm computer illiterate so Joombyte is doing the upgrade for me! Yipee!

Does this fix the problem with the v6.12 RSS Feeds not working?
as far as I can tell it was something altered in the database.

I upgraded to 6.12 and my RSS feeds stopped working, does the 6.13 patch look at this problem?

Hackers can leave files and folders behind that are almost impossible to delete. If you suspect these files, work with technical support of the ISP to get rid of these.

Thanks

I noticed that the Patch.zip file does not include a modified .htaccess file, nor is there a php.ini file to set register_globals off at the