I have found this on many sites I've worked on, all three "caching" folders sometimes are missing the .htaccess files.

I think many were so used to them not being there before and overlook this.

[edit] and this when direct to your cache folder...

Forbidden

You do not have permission to access this document.

are you using nginx as reverse proxy or something?

 I HATE YOU AUTOPILOT!

yeah thats not working cause I cleared cache again!

try this: http://www.socialmunch.com/cache/user1.php

if I do this link: http://www.socialmunch.com/cache/    >> its forbidden

it will give forbidden for dir and thats fine, It has something to do with mod_dir not very sure though. The issue here is the files that can be accessed which shouldn't

Well I'm late in the thread, but here's my 2 cents:

1. Like Geek_girl said don't trust anything from a gmail account, especially if it's about security or SEO.

2. In the future if you ever get anything like this again and no one here can help NEVER pay the blackmailer (which is what these people are)... if you think you really have a problem hire a real security firm. The blackmailer will keep your money and just spread the word about your vulnerability.

3. When someone tells you MD5 is easily crackable give them one you just created and ask them to crack it. Unless you picked "dog" or "password" they probably won't be able to. But the fact this person even thought these were MD5s says a lot.

4. I know of at least one person here who's name is Sasha.. did he go into the pen testing business?

Good thing I read this thread.  I didn't have an .htaccess in my cache_public folder, but I do now.

Also, I get this image when trying to access anything in the cache folder.  Is that what I should see?

 I totally agree about the email thing

I would never pay these people!  My first thought was seek help and spread word for others who might get this!

I was a little taken back when codes they give was correct ...

I have server security experts looking at this thread and taking actions / resolving issues now as I type :)

 I don't think you meant to see that ... Deano has link of what you should see if you read thread back

 Yes. On some servers you will see that. On most it will be a standard forbidden error message. Your ok.

What you should not see is a blank white page as that the server is accessing it and trying to run it as requested.

when you say my files can be accessed .... in what way / how ?

 Prashank25 .... Deano ?!

The .htaccess should prevent anyone from having access to anything in the folder via the web.  If you go into that folder via ftp you should see several files, some of which will be user files, i.e. user104.php

If you type http://www.socialmunch.com/cache/user104.php you should get either what I had or what Deano posted earlier.  The white blank page meas that the .htaccess file is not working correctly.

 I need to know how header.inc.php was able to be accessed ?!

 just by running link www.socialmunch.com/inc/header.inc.php ?

Same reason. I do not get an error when going to http://www.socialmunch.com/inc/header.inc.php - I do get one when I go to http://www.deanbassett.com/inc/header.inc.php or my site.

Do you have an .htaccess file there?  If so, delete it, add a fresh from the zip, and clear your site cache.

there might be many ways to access the script if someone knows the direct path and owner allows to access the file also. A cracker can do that i think, it shouldn't be very hard thing to do. To prevent that you need to block access to the file thats the only way.

I just try access mysite.com/cache on an Arivxe server and it showed a user's profile page instead of forbidden.  Tried it on two different ones on two different Arivix servers; that was a surprise.  Must be the way they have Apache configured.

 its even better lol

 Whoah, that's not good.

What was the screen name of the profile it showed? The htaccess that comes with Dolphin is setup to rewrite to a profile if it can't find a directory by that name. Depending on how the server is setup sometimes a restricted directory will show up like it isn't there at all and Apache tries to rewrite to something close.

Either way a directory that shouldn't be viewed wasn't viewed.. I don't see how that can't be good?

 agreed with mscott^, this is the best thing ever happened to man kind.

I must have misunderstood.  I thought she said that she tried to view something in the folder, and it showed something in the folder.

If what she meant was that she tried to view the folder and it instead showed a profile (that a visitor would have access to), I can see how that is good.

That would be similar to what ParadigmGuy was getting on his site.

Depending on how the server handles the 403 error you either get a forbidden error or dolphin handles it as a page not found.

In the page not found condition what you get would depend on dolphin version. Newer versions of dolphin will display a page not found, in older versions it will try to display a profile matching the not found. In this case i bet the profile name it tried to view was cache.

Either way, it did what it should have done. The access was stopped.

Makes sense, I'm running 7.1.1 if that matters.

OK, I think everything is good now ....  anyone care to test for me ?!

Yup. Looks good.

 got any fingernails left? 

What was the solution?

Yes, we need to know as I was seeing a similar thing on my server

OK ... it turns out that the dolphin zip .htaccess file is not correct itself !

It only has 'Deny from all'

For me the fix is below >>>

deny from all

<Files user1.php>
  order allow,deny
  deny from all
</Files>

<Files ~ ".(php)$">
  order allow,deny
  deny from all
</Files>

 errrrrr NO !

Thank you again to everyone that helped :)

I hope this thread helps save you all from the full night of raw panic I faced tonight !

Odd you had to go that far with it.

All documentation i can find says that just deny from all is fine.

Hmm. Turns out it may have something to do with apaches configuration. If you have a newer version of apache the common configuration option in apaches httpd.conf for AllowOverride All may need to be changed to AllowOverride All Limit

Limit being a new directive. From what i read if Limit is not specified then deny from all in a .htaccess file may not work. Apparently directives controlling host access such as Allow and Deny have been moved to a different apache module and Limit has to be specified in the AllowOverride directive for .htaccess to be able to use them.

Just guessing here of course. I would have to conduct some additional research.

Interesting.  What version of Apache are you running?  I'm running 2.2.24 and Deny from all works for me.

Regarding passwords, it is not just md5, it is md5 + salt + sha1, plus password cookie is HTTP only to make it non accessible from javascript.

I assume that this person is not very good in security since can't differ md5 and sha1.

Most common and possible method to stole user's session/cookies using XSS, but it looks not the case because of HTTP only cookies, so it would lead to some more serious security breach (like direct database access) or some more simple security hole where user's password hashes are displayed somewhere, for example you have some 3rd-party chat integrations, to make it work with Dolphin, user's data must be passed to it, and it maybe that this 3rd-party integration is not secure enough and shows user's password hashes somewhere in the code.

What can be done with the info - attacker can log-in under the user and do some thing under this person profile. If profile is admin then access to site admin panel can be granted which can be dangerous for the whole site, see my recommendations below to protect admin account.

I would suggest the following:

- change any server access passwords, dolphin admin password and passwords of members whose info was compromised

- update to the latest version, for now it is 7.1.2

- change administration folder in inc/header.inc.php file and protect it with HTTP authentication (can  be done via cPanel interface)

 Server version: Apache/2.2.15 (Unix)

Maybe my find should be added to Boonex Doc's as this could be a unknown issue for many other Dolphin users out there?!

Detective08, I think to have figured how this could happen I am sending you a private message to show you an error in your site, so you can correct it.

Dang, hit report again, they really should move the report link.

If you go back, I asked about <files>

So if one is on a server where they don't have access to the webserver config, then they will need to add the <files> to the .htaccess, otherwise, they need to check the webserver config and add the limit.  Correct?