DeeEmm

Pragmatism in code

Boonex Dolphin Security Vulnerability

It seems like this week is a bit of a strange one so far. Not only is it National Cyber Security Awareness Week here in Australia, but first the Boonex site suffered a massive DDOS attack and then my own dolphin site suffered a similar fate. I believe that the two events are probably coincidental, as the attack on my site was not particularly well formed, and was easily defeated - most likely just some kiddie with a script. I managed to get the service that the attack was coming from terminated due to a violation of the providers TOS - they're probably in big trouble with mom and dad now. The attack on the Boonex site continued over the weekend, and there are still some services out of action.

I believe that the main source of the attack on my site was to take advantage of the exploit recently published on Boonex's site, and reported about here on DeeEmm.com in an earlier news article - http://www.deeemm.com/news/154-dolphin-7-security-vulnerability-exposed.html Whilst the noise about this issue seems to have been muted a little, after the attack on my site I am pretty convinced that the solution given by Boonex is no solution at all.

The main crux of the problem was claimed to be the DB_FULL_VISUAL_PROCESSING or DB_FULL_DEBUG_MODE settings, which caused the debug backtrace to be echoed directly to the browser in the event of a fault. Boonex's comments were simply that these were disabled by default and so the issue was a non-issue. This glaring oversight caused an obvious embarrassment to those who made the claims that the issue was with the DB_FULL_VISUAL_PROCESSING setting, this then caused them to promptly back off a little.

Whilst Boonex's solution has seemingly pacified the masses, it does not address the initial issue - that the debug back-trace is getting echoed to the browser in some error situations. The fact is that the issue has been reported by many, and until now no one had been sure of a definite cause, unfortunately the DB_FULL_VISUAL_PROCESSING setting was little more than a red herring, and whilst easily dismissed by Boonex, their solution does not actually fix the issue.

Continue reading
  5011 Hits
  0 Comments
5011 Hits
0 Comments

National Cyber Security Awareness Week

This week is National Cyber Security Awareness Week here in Australia.

National Cyber Security Awareness Week is an annual initiative of the Australian Government held in partnership with industry, community and consumer groups and state and territory governments.

It is designed to raise awareness among Australians of cyber security risks and simple steps they can take to protect their personal and financial information online.

National Cyber Security Awareness Week 2010 is from 6 to 11 June. It will promote six easy tips for better online security:

Continue reading
  1940 Hits
  0 Comments
1940 Hits
0 Comments

Dolphin Orca Update

The Dolphin forum, or Orca, as it is known, was a parallel stand alone development that was integrated as a module into the Dolphin 7 release. This module is a massive improvement over the previous integration in Dolphin 6, and has provided an easier opportunity to improve it.

Many Dolphin users are unhappy with the features supplied with the standard forum module, often opting to replace it with other forums such as phpBB or IPB. This has mixed success, as often the integrations are simply iframe hacks, or miss out important aspects such as avatars or messaging. This is where Orca is already a step ahead. The integration is already completed, it is a core part of the Dolphin product, and so already has all of the needed variables and data available to it, to use in improving its features.

We have been working on an update to Orca, to add in the missing features that many complain about, these are usability features for both users and administrators alike, as well as the creation of a set of moderation tools.

The project is in it's very early stages, and only in Alpha release, but as it's based on a functional product, we already have a demo set up. This will be updated as the project progresses.

Continue reading
  4055 Hits
  0 Comments
4055 Hits
0 Comments

Dolphin 7 Security Vulnerability Exposed

It would seem that this weekend has been an active time in the CMS community for security vulnerabilities, first Joomla issue a patch for a potential XSS issue, and now Boonex's Dolphin package has been raising some eyebrows with, an as yet unresolved security issue that exposes the database name, username and password, in plain text to the browser via a verbose error report. This report is triggered by any number of bugs, and could easily be used to compromise a website or server.

The security 'hole' had previously been reported and raised as an issue with the Dolphin developers, who's response was that it had been addressed. Amusingly this seems not to have been the case, with the latest attention being that the bug has now been witnessed on the Boonex admin test site, and the resulting full error report published. - http://www.boonex.com/unity/forums/topic/Hey-BoonEx-Notice-Something-.htm There is some further discussion in the blogs as well - Major Security Risk: Information and Temporary Solution

The community were quick to act, with a couple of suggested workarounds published on modmysite - http://www.modmysite.com/general-issues-comments-questions/10491-db_full_visual_processing.html#post39764 as well as on the Boonex site, but there has been no official response.

As of the time of this post, some three days after the original post, Boonex have still yet to comment, and there has been no official patch available to address the issue.

Continue reading
  8128 Hits
  4 Comments
8128 Hits
4 Comments

Joomla 1.5.18 Released

XSS Vulnerability addressed.

Joomla 1.5.18 has recently been released and includes a security update to fix a core XSS vulnerability. All Joomla users are advised to upgrade. More details about the vulnerabilty can be found on Joomla's developers board HERE.  If you wish to stay abreast of the latest security announcements and updates for Joomla, you are advised to keep a check on the Joomla Developer Vulnerability News Feed.

 

More information on the 1.5.18 release, including the downloads can be found on the product release page - HERE

Continue reading
  2813 Hits
  0 Comments
2813 Hits
0 Comments

Free Mods Released

It's been a very busy week here in the software office. Hot on the heels of the recent Flat Comments and Group Forum Posts Block mods, we have a further three - yes that's THREE!! new mods available in the store, plus a re-released oldie.

Whats more, three of the mods are free!

The first mod is a re-release of our Login redirect mod for Dolphin 6. Whilst this has been available for download over at Boonex.com, for some reason it was omitted from the store, so we added it in. You can download it HERE

Next up is Auto Friend on Join. This is another Dolphin 6 mod that has been updated to work with Dolphin 7. The Mod automatically adds a friend to the joining members profile - a bit like Tom on myspace. This mod differs a little as it will add select the friend it adds based on the gender of the joining member. It can be set  to add either a friend of the same sex, or opposite sex. Get it HERE

Continue reading
  3610 Hits
  1 Comment
3610 Hits
1 Comment

Dolphin Forum - Show Expanded Categories

Here's a quick hack to get the forum categories to display as expanded by default on the forum home page.

Edit modules/boonex/forum/classes/Forum.php

Search for the following...

            if (( isset($p['cat']) && $p['cat'] == $r['cat_uri'] ) /*|| 1 == $r['cat_id'] */)            {                $this->setTitle ($r['cat_name']);                $c .= ''.$this->getForumsXML ($r['cat_uri'], 0) . '';            }

Comment the following lines

Continue reading
  5297 Hits
  0 Comments
5297 Hits
0 Comments

2 New Dolphin MODs Released

Just released two new mods for the Boonex Dolphin platform.

The first mod is a Dolphin 6 mod that changes the standard threaded comments layout to a normal flat comment structure. All existing comments are changed to the new layout, as will all new comments.

The second modification is a Dolphin 7 MOD that creates a custom block for the groups home / view page that aggregates the groups forum posts.  This increases the usefulness of the groups home page by providing all information in one place.

As a bonus, we have also included an additional mod that will show you how to add a block anywhere on your site to aggregate ALL group forum posts into one block.

Continue reading
  3881 Hits
  0 Comments
3881 Hits
0 Comments

Nowdoc string handler

Some of you may be familiar with the heredoc string handler which allows multi-line strings to be easily assigned to a variable, this great tool has many uses - such as retaining pre-formatted layout and improving the readability of code. The heredoc handler also parses variables contained within the string - much the same way that using double quotes does. Replacing any variables with their respective values

This has some not so obvious drawbacks, one of which i discovered whilst trying to inject complex PHP code into a database for later evaluation via the eval() statement. (please don't ask why)

The problem I found was that whilst it was easy to escape the string so that it would not break the SQL statement, The same escape characters also broke the evaluation. This might not have been an issue in any other situation, but for this particular project i did not have access to the code that carried out the evaluation so that I could strip the escape characters out before running the eval query.

However, PHP 5.3 has now introduced the nowdoc syntax - this basically operates in the same manner as heredoc, but does not parse any of the content. This means that not only are variables not parsed, but neither are any characters that would normally require escaping. In essence, any string read into a variable by the nowdoc handler will not require any escaping whatsoever.

Continue reading
  2790 Hits
  0 Comments
2790 Hits
0 Comments

Dophin 7 TinyMCE Browser MOD updated

The DeeEmm Dolphin Tiny MCE Browser modification has now been updated to work with the new Dolphin 7.0.1 release.

This release is a compatibility update, There are no additional features or bugfixes included.

If you have previously purchased the 7.0.0 version, you will be pleased to know that you are entitled to a free update. If you would like a copy of the updated files, please email me and i will send a copy out to you.

As usual, support for purchasers of our premium modifications are all entitled to access to the help-desk for priority 1-on-1 support. General support, bug reports, and feature requests can be posted to the forums.

Continue reading
  2104 Hits
  0 Comments
2104 Hits
0 Comments

CVS changed to SVN

The Sourceforge DMCMS source control active repository has now been changed from CVS to SVN. The old CVS repository will remain accessible for historical reasons.

At this point there are no plans to migrate existing data from CVS to SVN.

The SVN repository will be routinely updated as changes are made. The ability to easily download a tarball may mean that interim builds will simply be made available via the SVN repository instead of for direct download via the forums, but this will be assessed as usage progresses.

If there are any questions, please leave them in the comments section below.

Continue reading
  2385 Hits
  0 Comments
Tags:
2385 Hits
0 Comments

It's Official. IE6 is Outdated

ie8advert

I have long held the view that the internet needs to be ridded of Internet explorer 6. IE 6 still equates to a massive 10% of all user-agents - some 180,233,045 users worldwide. This figure has fortunately been getting smaller, and the latest statistics show that IE6 has been in steady decline this year.

IE6 is the veritable thorn in the side of most web developers (with IE7 little better). With a userbase numerous enough to still require having to account for when developing websites, IE6 requires extraneous coding hacks to get it to function along side more modern browsers. But this may soon be a thing of the past. It seems that Microsoft themselves are now promoting the demise of IE6. This is great news, and one could only like to think that it is as the result of folk such as you and I actively promoting it's drawbacks. I personally think that IE6 has finally bitten Microsoft on the proverbial backside, with Internet Explorer usage failing to the ever more popular Firefox, which now reports some 45% market share.

The pain in the proverbials, has seemingly spurned Microsoft into action to try and win back some users, and tip the scales back in their favor - and they seem to be targeting IE6 users. So what have they done?

Continue reading
  4146 Hits
  0 Comments
4146 Hits
0 Comments

Dolphin 7.0.1 and beyond

The latest release to Boonex's CMS system - Dolphin 7, has now been out on the wild for some time. Released at Christmas, the much anticipated Dolphin 7 was to be heralded as the latest in web tech, offering an advanced platform for social networking sites that was far ahead of the competition. With several public beta releases, the anticipation was fueled by the glimpses offered in each release, building up the expectations to a massive level. Also adding fuel to this fire, was the long overdue update and bugfix release due for Dolphin 6. As a result, Dolphin 7 had a lot to deliver.

With the release of Dolphin 7 finally made a year later than expected, it was unleashed into the public with a massive amount of issues, over 300 bugs to be precise. This left the Dolphin community a little abashed, with many users having stuck with Dolphin, through the extended development period, now feeling disappointed. Lots of these users had put development plans on hold, with the expectation that the promised release would be the answer to their needs.

It is now a further 5 months down the line, and the recent update release 7.0.1 has addressed many of the problems that plagued version 7. The problems are not completely fixed however, and there are still many issues surrounding how development and releases are handled, but it seems that Boonex are moving in the right direction with a shorter release cycle, and prioritisation of bugs addressed for each release. I previously touched on this issue with one of my blog posts over at unity - http://www.boonex.com/unity/blog/entry/Product_release_cycles

Based on past performance at Boonex, and anticipating the issues and extended wait with version 7, when it was originally announced, I decided to stick with version 6  - This is a choice that i am glad i made. Not only as the expected release date slipped way beyond the original estimate, and there were more issues than even I anticipated, but also as it has meant that I have managed to build my user-base over the past year, and develop the community for which the site serves.

Continue reading
  5290 Hits
  0 Comments
5290 Hits
0 Comments

D7 Hide Promo from logged in users

If you would like to hide the flash promo from displaying to logged in members all you have to do is the following.

Edit inc/design.inc.php

Find the following line in the getPromoCode() function (it's the last line)

return $sCode;

Continue reading
  3159 Hits
  2 Comments
3159 Hits
2 Comments

D7 Move avatar from promo to banner

After updating my Dolphin 6 site to the new version 7 software I decided that I wanted to move the avatar to the banner - basically the same as for my D6 site. I also wanted to put the quotes at the bottom - I decided to mimick the style and layout for my D6 site - I wanted my upgrade to D7 to be more or less transparent to my users.

 

How To Relocate the daily quotes

To modify the quotes position is  simple enough - you just need to modify the sys_injections table - look for quotes_injection and then change the key to injection_footer_after

injection_footer_after refers to the tag that the content will replace - in this case the tag in the footer

Continue reading
  3698 Hits
  1 Comment
3698 Hits
1 Comment

DMCMS beta builds

In a recent forum post about DMCMS, i promised that at some point the current version would be spruced up a little and released as version 1. This is something that I actually started on late last year, but the work was lost when our house was burgled and my laptop (and also the backup drive) was stolen. This happened last September, and it's taken this long to renew the enthusiasm in DMCMS. This is probably spurned in the most part, by the new direction that the site has recently taken, with more time being spent putting web based code mods together, I've began to start thinking about getting DMCMS finished off again.

With more visitors coming for code tutorials and to buy modifications from the store, DMCMS is a bit of a show-case - not in the respect that it is anything worth looking at (it's 6 years old now, and very basic by today's standards) but in the respect that it may be used as some kind of yard stick for my work. So it needs to be tidied to the point where it is at least presentable.

My ideal goal would be to take it and completely re-write it using the jquery framework, smarty template's and maybe a few other Web 2 goodies. Probably the most important aspect would be making it a multi-user version, to allow commenting and third party participation, and using object based code to allow for extensibility.

So with this in mind - I've taken the first steps to getting the current version up to a version 1 release standard. The main changes that I previously carried out were mostly a simple code restructure. The administration interface was completely split away from the main code so that it functioned as a stand alone interface - and some of the other functions that were crammed into the main code were also parred away.

Continue reading
  3993 Hits
  0 Comments
3993 Hits
0 Comments

BoonexNerd Update

Just had a bit of a chat with James Tadeo, who has recently updated his successful Boonex support site BoonexNerd.net to run from the latest Dolphin version - 7.0.0. James blogged about the migration which he said went fairly smoothly using the migration tool that comes with D7, great news to hear for those of us who have still yet to update.

This got me thinking about the update to my own Dolphin site. I started to have a look at this a little while back - i set up a fresh D7 installation, which had a few issues as I had to reconfigure the server setup to suit D7. then I made a start with the data migration tool. I got as far as transferring the user-base over, but have been pretty busy since, and so have never progressed any further.This is something that I really need to make some time to go and sort out.

My main concern was that my D6 site is fairly modified, and whilst D7 does have greatly improved functionality, it does lack some of the mods that my members have come to expect. These mods are a mixture of purchased mods and mods that I have developed myself. There are also a large number of minor enhancements and bug-fixes that are hopefully now covered by the new D7 feature-set. the site has been developed over the past year, which is a nice and comfortable time frame to have developed a site this modded. Unfortunately with the upgrade, time is not that plentiful.

At present I think I will wait for the D 7.0.1. update to be released before revisiting the upgrade. I will have a look into rewriting the current mods for D7 and see how much work is involved, maybe I can temporarily drop a few of the mods to buy a bit of time.

Continue reading
  2059 Hits
  0 Comments
2059 Hits
0 Comments

Webstore Now Open

We are please to announce that our online store is now live.

At present we are in the process of uploading all of our modifications to the new store, so some products may not be visible yet, but we hope to have this completed within the next day or so.

We have added support the PayPal payment gateway, so it is possible to purchase products using either your PayPal account or credit card via the PayPal website. We may expand the supported gateways in the future to include additional providers, so if you have specific requirements or wish to suggest a particular solution, please feel free to leave us a suggestion.

Will keep you updated of the progress.

Continue reading
  2191 Hits
  1 Comment
2191 Hits
1 Comment

Hosted Exchange 2007

We are pleased to announce that along side our hosting packages, we are now also able to offer hosted exchange email services. Our Hosted Exchange mail service runs Exchange 2007 and provides any number of mail boxes that you may require. There are no minimum numbers, and all packages come complete with Push email. Blackberry support can also be added if required.

As users of push technology, we decided to augment the standard email facilities provided with Exchange hosting. The ability to use Hosted Exchange is a great benefit to those clients that do not want to have the hassle of looking after their own servers. It also provides push technology to those clients using windows mobile or Blackberry devices, and our adoption of Exchange 2007 means that there is full integration with Apple OSX for Mail, Calendar and address book functions.

Our Exchange packages are run as separately service and do not require a hosting package to use.

More details to be posted soon, but if you cannot wait that long, please contact us to discuss your exchange requirements.

Continue reading
  2123 Hits
  0 Comments
2123 Hits
0 Comments

Dolphin 6 - Login Redirect MOD

This mod will automatically redirect new members to the profile edit page when logging in for the first time. Every time thereafter members are taken to their profile page

 

DEMO

http://dolphin6.deeemm.com/

Continue reading
  3120 Hits
  0 Comments
3120 Hits
0 Comments