Thread: Db_full_visual_processing

Some people have been talking about on UNITY, that on a database error, Dolphin may display more information than desired to a user of your Dolphin site.

This information can contain system settings / paths / and so on that is best not shared with an untrusted user.

This information display is easily controlled by checking, and changing, if needed, a value in the database include file.

Below are instructions including what file to check, and what to change, to avoid this situation.

Dolphin 7.0.x (inc/classes/BxDolDb.php)
Dolphin 6.0.x and 6.1.x (inc/db.inc.php)

Look for the value, near the top of the file, like:

define( 'DB_FULL_VISUAL_PROCESSING', true );

It should be set to:

define( 'DB_FULL_VISUAL_PROCESSING', false );

Making this change will prevent users from seeing debug information (some sensitive) in the event your site has a database error.

Warm regards,
Smoge

Thank you

Originally Posted by jaminunit

Thanks allot is there a mailing list or somthing that I can sign up to where they publish Dolphin vunirabilities? Its just my site got hacked last year when running 6.1 and I have spent thousands upgrading to 7 and re-modding everything and so I really dont want to get hacked again.

Again thanks heaps for the heads up on this issue..

Well - soon, we will upgrade ModMySite's vBulletin to v4, which supports blogs and content management... so I expect when that is done - things will be a bit more interesting - meaning - more than just thread posts.

Also - I waited as long as I could - waiting for BoonEx to get it together and see when the revision release slow down a bit - which seems to have happened now... so we will also be launching our Dolphin 7.0.1 bugfixing / modification project.

So - not sure if that answers your question exactly... but maybe helps some.

Smoge

Code:

define( 'DB_FULL_VISUAL_PROCESSING', false );
define( 'DB_FULL_DEBUG_MODE', true );

Would result in a minimal message shown in the web browser, but more debug info sent in the email.

Smoge

Maybe you checked if DB_FULL_VISUAL_PROCESSING is on or off now... but perhaps you have others doing coding for you, or adding modifications, or whatever, and you are concerned they may turn it on, and not tell you, or forget to turn it back off again when they are done.

You can add (the code below, is for Dolphin 7.0.1), a indicator to your administrator panel Dashboard. I stuck it in the first block (with the admin info) rather than making a new block.

You can check the screen shots if you wish, attached to this post.

It is easy to add.

Edit inc/classes/BxDolAdminDashboard.php

Find, around line 88, function getAdminBlock()

Replace that function with the modified one below, or compare and edit your existing function (your choice!)

Code:

	function getAdminBlock() {
	    global $oAdmTemplate;
	    
	    $aInfo = $GLOBALS['MySQL']->getRow("SELECT `NickName` AS `username`, `Password` AS `Password`, DATE_FORMAT(`DateLastLogin`, '" . getLocaleFormat(BX_DOL_LOCALE_DATE, BX_DOL_LOCALE_DB) . "') AS `last_login` FROM `Profiles` WHERE `ID`='" . $_COOKIE['memberID'] . "' LIMIT 1");
	    if( DB_FULL_VISUAL_PROCESSING ){
	    $vp_alert = '<font color="red">Enabled - Insecure!</font>';}
	    else {
	    $vp_alert = '<font color="green">Disabled</font>';}
	    
	    return array(
	       'icon' => $oAdmTemplate->getIconUrl('dashboard_admin.png'),
	       'title' => ucfirst($aInfo['username']),
	       'url' => '',
	       'content' => _t('_adm_txt_dashboard_last_login') . ': ' . $aInfo['last_login'] . '<br /><a href="' . $GLOBALS['site']['url_admin'] . 'settings.php?cat=ap">' . _t('_adm_txt_dashboard_change_password') . '</a>' . '<br>' . 'Visual Processing: ' . $vp_alert
	    );
	}

My changes, broken out...

Added this:

Code:

	    if( DB_FULL_VISUAL_PROCESSING ){
	    $vp_alert = '<font color="red">Enabled - Insecure!</font>';}
	    else {
	    $vp_alert = '<font color="green">Disabled</font>';}

and appended this to the 'content'

Code:

 . '<br>' . 'Visual Processing: ' . $vp_alert

Have fun!

Smoge

>> This database error is a huge security risk.

It is actually a nice feature.... but gone bad.

The VISUAL PROCESSING is really nice when you are doing development.... it saves a lot of time compared to checking an email (or looking at a file) while you are developing.

The main point is - that it should be disabled if you are not using it for development work or debug.

It is why I suggested the indicator in the Dashboard.

It is not an EVIL thing... VISUAL PROCESSING is actually a cool "feature", if used correctly.

Smoge