Softaculous and its Security Flaws in Respect to Dolphin (SECURITY ISSUE or My Imagination?)

DosDawg posted 22nd of April 2010 in Community Voice. 9 comments.

Now i have this post correct and tested 4.22.2010

My notes as we were testing. I am posting this information so that all has the knowledge. this is not provided to create strife, but to protect my fellow community members from becoming victims.

Softaculous Auto-Installer and Dolphin
what was discovered after my initial post was negated.
I am testing on Arvixe since they seem to get the most publicity on here.
We are testing on two different servers from Arvixe
cobra and shark, the installs builds appear to be the same from a glance at the php.ini from admin panels host tools.

What discovered, shark will install Dolphin, and it does creat the cron jobs. Cobra will install dolphin, but no cron jobs are created.

Neither of these server builds are suPHP or suExec, they both appear to be CGI builds.

Now we get into the file permissions that we all know are vital to a secure environment.
Both Cobra and Shark are installed with directories being permed as 777, not all directories, just some:
backup - 777
cache - 777
cache_public - 777
langs - 777
tmp - 777
/backup/.htaccess - 777
/cache/.htaccess - 777
/cache/all files 666
cache_public/all files 666
/flash/modules/board/files - 777
/flash/modules/board/xml/config.xml - 777
/flash/modules/board/xml/langs.xml - 777
/flash/modules/board/xml/skins.xml - 777
/flash/modules/board/xml/main.xml - 666
/flash/modules/chat/xml/config.xml - 777
/flash/modules/chat/xml/langs.xml - 777
/flash/modules/chat/xml/skins.xml - 777
/flash/modules/chat/xml/main.xml - 666
/flash/modules/desktop/xml/config.xml - 777
/flash/modules/desktop/xml/langs.xml - 777
/flash/modules/desktop/xml/skins.xml - 777
/flash/modules/desktop/xml/main.xml - 666
/langs/.htaccess - 777 hackable known security risk
/langs/lang-en.php - 666 hackable
/media/app - 777
/media/images - 777
/media/images/banners - 777
/media/images/blog - 777
/media/images/classifieds - 777
/media/images/flags - 777
/media/images/membership - 777
/media/images/profile - 777
/media/images/profile-bg - 777
/media/images/promo - 777
/media/images/smiles - 777
/media/images/.htaccess - 777 perfect eh?
/media/images/all files - 777
/media/images/banners/.htaccess - 777
/media/images/blog/.htaccess - 777
/media/images/flags/.htaccess - 777
/media/images/flags/all files - 777
/media/images/membership all files - 777
/media/images/profiles/.htaccess - 777
/media/images/profiles/all files - 777
/media/images/profile-bg/.htaccess - 777
/media/images/promo/original - 777
/media/images/promo/ all files - 777
/media/images/smiles/default - 777
/media/images/smiles/default/.htaccess - 777
/media/images/smiles/default/all files - 777
/media/images/smiles/sample - 777
/media/images/smiles/sample/.htaccess - 777
/media/images/smiles/sample/all files - 777
/inc/prof.inc.php - 777

Now with all of these files being set to 777 i would suggest this is a huge security risk.

but what we found further, will shock the best of us. not only does softaculous wreck up the file permissions for dolphin, basically every script it installs, it sets 777 perms to some directories, we tested with wordpress, because that is the quickest to install, and also they have the best security that i know of.

at any rate, hope this investigation and our time was well spent.

Summary:

My initial post still stands, file perms are way wacked, cron jobs are not created on every Server.

Regards,

DosDawg

 
Comments
·Oldest
·Top
Please login to post a comment.
mydatery
Okay, I'm doing this totally off the top of my head. So please forgive me if I go to fast or don't get it right.

Files with incorrect Perms per your post:

All the .htaccess files, these should be 0644 and not 0777 (I'm assuming that's a 0777 and not a 7770 on the perms) That would be fun wouldn't it.

All the flash/modules/...xml files should be 0666 if I recall correctly. Can't 0777 a file unless it's an ffmpeg.exe if I'm correct, or at least one shouldn't.

Why the issue with langs/lang-en.php see more files? Doesn't that have to be 0666 on a CGI Server in order to compile the languages? Maybe I'm wrong, sorry if I am.

We covered the .htaccess issues, but shouldn't the folders for all media/images/ be set to 0777 on a CGI machine as it needs to be able to write the files as members upload images and so on. Granted, flags & smilies should be at 755 as those do not need constant write functionality.
buckmcgoo
Someone could have a ball with those 777 htaccess files IF the server is setup incorrectly.

Now, can someone who knows more than me PLEASE explain how Wordpress can write to a 755 dir and update a 644 file and Dolphin can't on the SAME server?? Is it because Wordpress creates those files and directories itself instead of ftping them?
DosDawg
i see we have not gotten any type of response \
\\

Regards,
DosDawg
AlexT
Can you provide access to the server with problem to investigate it ?
dolphin_jay
@ Alex see here basically what my findings where... http://www.boonex.com/unity/blog/entry/Hello_2010_04_20#blg_entry_post_comment
daihlo
I have just installed using softaculous, looks like all my files are set to 755
Is that a problem?
DosDawg
@AlexT,
hey fella, this was not posted to waste your time, but it was posted so that the community can know that there are issues. i am not reporting this to Softaculous, because it has been reported to softaculous previously, and unheeded. this puts new members of our community at risk, and this should not be held secret because the sales are a affiliate medium.

I continuously test every faction of this so that i have the safest environment to host this product on, regardless of what level see more of hosting, shared, vps, dedicated or cloud. security and functiontionality is of the greatest concern to me for not only the clients i host, but those who host elsewhere on whomevevers servers.

seems to me these things get kicked under the rug, not only on this instance but many others, and when you consider the time, effort, and engergy that goes into creating what 'any one owner would consider' their profit making site, then to have this kind of information is vital.

Regards,
DosDawg
DosDawg
Alas,
i was contacted by the lead developer from softaculous, and all things were set straight. there was some miscommunication as deemed. however, the posts i have set on here were 100% correct. there have been patches released from the time of my post so if your hosting environment offers dolphin from the softaculous auto-installer, please make sure they have updates turned on, because they are needed.

Regards,
DosDawg
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.056839942932129