[ask] Is dolphin 7.0.2 safe from sql injection ?

Hi there,

i want to ask if dolphin 7.0.2 is safe? My friend site got hacked by saudi arabia hacker team. Also i try to googling about the dolphin Vulnerability, and i got that theres a exploit out there for sql injection in dolphin 7.0.x

If theres any possibility for the attacker to hacked dolphin base site, could someone share how to patch and securing my dolphin site?

Thank you

You should upgrade to 7.0.3... You can get the upgrade patches in the Dolphin product section I think. 7.0.3 is much better as far as security is concerned.

Absolutely right!

Dolphin 7.0.3 have have 2 know vulnerability see there

1) a Blind SQL Injection Vulnerability in tags.php

2) source code disclosure Vulnerability in gzip_loader.php but i think this is an extention because i haven't this file

It's already fixed. Changesets are here:
http://www.boonex.com/trac/dolphin/changeset/14641
http://www.boonex.com/trac/dolphin/changeset/14638

Very well, i fix my site immediately, great job!!!!

Sorry but BxDolGzip in which version was added, or it's an extention?

I havent this file in my installation!

It was added in Dolphin 7.0.3.

I just had to share a REALLY useful Open Source tool - Its called Vega ( http://subgraph.com/products.html ) I've had it running and in two minutes it found a lot of issues, potential security issues that is. 

Integer overflows
Directory traversal, also known as "path traversal"
Command injection vulnerabilities
a possible SQL injection vulnerability 

Also found medium security issues

XML injection vulnerability 

I have to admit I need to do some research on some of these ( Vega gives you definitions and links to the issues it finds ), but I know that the SQL injection vulnerability is kind of serious. What's nice is, this program gives you a little help on fixing the issues it comes across. So for this SQL injection issue it had the follow suggestions...

REMEDIATION

Pretty nice huh? I have to admit a lot of this stuff is above and beyond me however this program does get me pointed in the right direction. Pretty much everything I do, when I come across an issue that exceeds my knowledge I camp out and live on various forums for days, searching and learning. Vega already, in the few moments I've been using it is speeding up the process. 

I just thought others may find this tool helpful. If anything, when I do ask a question here; with the help of this program I can ask a more educated question. Its nice that the program links to web pages, wiki's and such to help explain the issues as well as the fixes. It doesn't explicitly give you Dolphin related answers/links, but addresses SQL, XML, PHP and so on.

Anyway - I like it so far, had to share. Hope y'all find it as helpful as I have so far. It's actually still scanning my site and still finding stuff. That said, expect a scan to take a while if you download this program and try it out. Its been at it for at least 20 mins so far. It appears to be extremely thorough - checking all the files in my Dolphin site directory,...down to the sub atomic level, which is ok by me. Before I go "LIVE" with my site I want to make sure its as secure as possible. 

And no, I am not involved with this company! Just a huge supporter of Open Source stuff and I think this program has great potential, and could be extremely helpful/useful to everyone running a Dolphin site. 

I should add that if you run this program, expect it to take a while! Just so's ya knows!