Dolphin 7 Security Vulnerability Exposed
It would seem that this weekend has been an active time in the CMS community for security vulnerabilities, first Joomla issue a patch for a potential XSS issue, and now Boonex's Dolphin package has been raising some eyebrows with, an as yet unresolved security issue that exposes the database name, username and password, in plain text to the browser via a verbose error report. This report is triggered by any number of bugs, and could easily be used to compromise a website or server.
The security 'hole' had previously been reported and raised as an issue with the Dolphin developers, who's response was that it had been addressed. Amusingly this seems not to have been the case, with the latest attention being that the bug has now been witnessed on the Boonex admin test site, and the resulting full error report published. - http://www.boonex.com/unity/forums/topic/Hey-BoonEx-Notice-Something-.htm There is some further discussion in the blogs as well - Major Security Risk: Information and Temporary Solution
The community were quick to act, with a couple of suggested workarounds published on modmysite - http://www.modmysite.com/general-issues-comments-questions/10491-db_full_visual_processing.html#post39764 as well as on the Boonex site, but there has been no official response.
As of the time of this post, some three days after the original post, Boonex have still yet to comment, and there has been no official patch available to address the issue.
The security flaw raises the question of the validity of the security audits that were supposedly conducted on Dolphin 7 and 7.01 prior to release, and certainly brings into disrepute those that conducted it.
If you are currently running Dolphin 6 or 7 use the following instructions to address the issue (fix courtesy of Smoge at modmysite)
Below are instructions including what file to check,
and what to change, to avoid this situation.
Dolphin 7.0.x (inc/classes/BxDolDb.php)
Dolphin 6.0.x and 6.1.x (inc/db.inc.php)
Look for the value, near the top of the file, like:
define( 'DB_FULL_VISUAL_PROCESSING', true );
It should be set to:
define( 'DB_FULL_VISUAL_PROCESSING', false );
Making this change will prevent users from seeing debug
information (some sensitive) in the event your site has
a database error.
/DM