Dolphin 7 Security Audit

Andrew Boon posted 16th of October 2009 in . 29 comments.

This week current Hookie build has undergone a professional security audit by independent specialist - Frank Ruske.

The audit resulted in a handful of "finds", which we're working on right now. Expect proper changes to be incorporated into the next beta. Hope this won't put off the release date.

Please login to post a comment.
great news, thanks Andrew. It was a big concern after my experiences with various versions.
Fantastic news! On a side note, it would be interesting to learn about the security protocols and checks you guys put the software under prior to final release.

Thanks was nice to know about the security audit. It would be nice to get it audited from some other security auditing companies as well and get it certified. We need to make it bullet proof :)
Andrew Boon
Yeah, we might use one more firm, and definitely this guy again a little later.
Andrew, glad to hear this from Boonex.

Feeling Peace of Mind.
Great to hear that andrew. I will also try to sniff some packets and fire some sql/xss injection scripts and also use the 'burp suite' on my test site over the weekend.
Thanks Andrew.. Nice to know we will have security awareness in place.
Wow is the new site a mess on my computer. Andrew, if you are already talking about the schedule slipping one day after you announced it, why don't you just skip that next "beta" and go directly to the RC? I couldn't see what purpose another beta served anyway. I think you got the memo, but we need the upgrade path - and the sooner the better.
Just to clarify, when I said the new site was a mess, I meant Unity - not the beta. Boonex has obviously been doing some upgrades to Unity and the format on this end looked pretty scary when I wrote this.
Want to give you Great Thanks for security checking by an expert. This is a big issue today as Dolphin need write permission for lots of files.

Great Going.
Well, that's good to hear about those finds. But i really really hope there won't be a lot of code change. (praying). Cause...

Even if is beta, i don't expect lots of structure changing, so i'm on my way to live site with it. :)
I hope that we shall have not need to wait more lontgemp for the dophin 7, because it is already very stable and any autrex updated could be afterward made. Fast fast fast the version RC lol
Method(actionLoginFormhttp:) was not found in module(facebook_connect)
Nice to see that additional 3rd party checkups for security are part of the development. Hope it doesn't set back d7 stable too much, but nice to see extra steps are being taken and considered this time around. Hope we will still see d7 stable before the end of the year, and d7 beta 8 or RC very soon. Looking forward to it.
Glad to see the things coming together in a positive manner. Thanks!
Here is one "security audit" I ran:

Google Index of /templates/tmpl_uni
You will get the following result. I know that the majority of the results will be for 6.1X sites, but there are tens or hundreds of results for 7.X sites as well.

Results 1 - 10 of about 28,000 for index of /templates/tmpl_uni.

Too many dolphin owners stop at the installation process and never do much more than change a banner or two. While Boonex is doing everything they can to make Dolphin a reliable see more and secure product, it's up to the site owner to protect their site as well. You can do the same search for /ray , /inc, and a few more common directories and get about the same results. Try these directory searches on your own sites and see what the results are.
Here's one:

If a database error occurs (this is what i got-"#1030 - Got error 28 from storage engine"), then your sensitive info about your hosting account, such as the path to your files, your username and your PASSWORD will appear on the homepage of your website, for everyone to see. This is what it happened to me last night with the beta7. This is not so cool..

Anyways this is a great project!Keep up with the good work!
15 October 2009:
1. We'll release one more beta shortly.
2. We'll release RC1 by the end of next week.
It's that a deadline, a joke or both? I still can't see that beta coming around even this week..
I do not think it is a joke. They intend to follow a release schedule, for sure, but obviously since bug discovery continues and we, users, keep on sending them new requests, well, what do you expect?

I much prefer delays due to security checks, bug fixes and enhancements than a zillion betas and RCs that will result in more work on my own site. It is frustrating, but for them too. If only more software companies had an OPEN forum for their customers to help out tweaking their products....

Anyways, see more let's focus on making the next release the best it can be.
Yeah, yeah the same old words put together to express that "I prefer many betas, is more secure".. I was ONCE like you (6 months ago).
1. A promise must be kept at all means.
2. No one will believe you the second time you promise something.
3. We waited ENOUGH!
Thans Andrew, I am glad to see that you are putting more time to security... I am hoping to put see the final 7.0 soon
hi all. I made the audit,this is my username here. So if you like to get similar services just contact me :)
Hi fruske!

Can we have some kind of presentation on the audit you had on the script?

Just wondering... thank you! :)
Hi Boonex :)

Any update on the release?

By the way, D7 is awesome, what a work you guys did there, good job to the team!
I think it's very commendable that this project continues to inspire.
The vision of the founders is immense despite the frustration sof members, IM here all the way and aim to make dolphin a major part of my financial future.
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.