Latest posts for the topic "PATCHES FOR KNOWN EXPLOITS IN ADVANCED GUESTBOOK"

PATCHES FOR KNOWN EXPLOITS IN ADVANCED GUESTBOOK

Carbonize — GMT

[size="18"]DISABLE HTML IN POSTS TO PREVENT YOUR GUESTBOOK BEING DEFACED![/size]

[b]Advanced Guestbook 2.2 login exploit fix[/b] (also needed if you put your 2.2. session.class.php file in to 2.3.1)

Open your [b]lib/session.class.php[/b] and locate [code]if (get_magic_quotes_gpc()) {
$username = stripslashes($username);
$password = stripslashes($password);[/code]

and replace it with [code]if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);[/code]
You can also download this file pre patched from www.carbonize.co.uk/AG/

[b]Possible useragent cross site scripting exploit[/b]

Open up lib/add.class.php. Find oth occurences of[code]$agent = getenv("HTTP_USER_AGENT");[/code]and replace them with[code]$agent = htmlspecialchars(getenv("HTTP_USER_AGENT"));[/code]

[b]URI Cross Site Scripting Exploit[/b]

Open up index.php and fine[code]$entry = (isset($HTTP_POST_VARS["entry"])) ?
$HTTP_POST_VARS["entry"] : $entry;[/code]add under it[code]$entry = htmlspecialchars ($entry);[/code]This occurs twice in the file so edit both. I don't believe this is the best fix and I also believe a better fix was implemented silently into 2.3.1 recently but I need to check on that one.

Defacements...

Anonymous — GMT

Any solution for all the spambots? This guestbook is a oneclick install on the hosting server I use, so I have it on dozens of sites that I maintain, and all of them are getting spam entries regularly...

Carbonize — GMT

Read this - http://proxy2.de/forum/viewtopic.php?t=4239 it's listed on there. Hopefully the copy supplied by your hosts hasn't been altered to much.

Anonymous — GMT

[b][quote]URI Cross Site Scripting Exploit[/b]

Open up index.php and fine[code]$entry = (isset($HTTP_POST_VARS["entry"])) ?
$HTTP_POST_VARS["entry"] : $entry;[/code]add under it[code]$entry = htmlspecialchars ($entry);[/code]This occurs twice in the file so edit both. I don't believe this is the best fix and I also believe a better fix was implemented silently into 2.3.1 recently but I need to check on that one.[/quote]

Implementing the fixes listed in this sticky post.

I could only find 1 entry for the above fix.

This is my index.php file with the fix entered. Will this be okay or have I got an index.php file that is not up to date or tampered with?

[code] $include_path = dirname(__FILE__);

require_once $include_path."/admin/config.inc.php";
require_once $include_path."/lib/$DB_CLASS";
require_once $include_path."/lib/vars.class.php";
require_once $include_path."/lib/template.class.php";
require_once $include_path."/lib/gb.class.php";

$gb = new guestbook($include_path);

$entry = (isset($HTTP_GET_VARS["entry"])) ? $HTTP_GET_VARS["entry"] : 0;

$entry = (isset($HTTP_POST_VARS["entry"])) ? $HTTP_POST_VARS["entry"] : $entry;

$entry = htmlspecialchars ($entry);

echo $gb->show_entries($entry);
?>[/code]

Carbonize — GMT

It does actually appear twice. If you are using 2.3.1 and haven't altered the files I recommend downloading it again and replacing your files with the new ones as he has patched this exploit but forgot to mention it.

Anonymous — GMT

Hi,

why isn´t the download file corrected ??

I have downloaded the version 2.3.1 a few minutes ago and I had to make every cahnge you describe here ....

Regards

Anonymous — GMT

Or is the fix really only for 2.2 ??

Regards

Carbonize — GMT

I should of been clearer. He has only patched the [b]URI Cross Site Scripting Exploit[/b].

Anonymous — GMT

I mean the whole Guestbook ....

I made all three changes.

Is it ok ??

Regards

Anonymous — GMT

For example:

in lib/session.class.php of 2.3.1 is in it:

[code]if (get_magic_quotes_gpc()) {
$username = stripslashes($username);
$password = stripslashes($password);[/code]

and not

[code]if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);[/code]

Why not ??

At top of this thread you wrote, that we only shoud cahnge this, when we use the old file from 2.2 but it is also in 2.3.1 ....

Regards

Carbonize — GMT

Because in the top bit of code I can login to your admin section using the 2.2 login exploit where as the bottom bit prevents this.

Anonymous — GMT

Yes, I understand but why isnt´t it fixed in the download section of 2.3.1 ??

Regards

Carbonize — GMT

The script now adds the slashes in the [b]checkPass[/b] function. Why they have not changed the version number I don't know. If you look at the 2.3.1 files now you can see that some of the files were modified on 3rd December 2004. This is one of the reasons that I restarted my update. I will send a copy of 2.3.2 to the webmaster wehen it is complete.

yonnermark — GMT

Do I need to do this if my current install is the 2.3.1 ?
Are all of these fixes for 2.2 or only the first fix in the first post of this thread?

thanks
mark

Carbonize — GMT

this is where it gets confusing because the webmaster updated the scripts but left it as 2.3.1. Anyway if you downloaded 2.3.1 after Christmas then you only have to worry about the second one. If you downloaded it befoer then you need to do the second and third one although I think I will rewrite the last one as the webmasters method is better.

yonnermark — GMT

i made the 2nd and 3rd changes just in case
There's no point me chaning the 1st is there as I have 2.3.1

thanks
mark

Anonymous — GMT

Is there a "final" or complete post with the changes for upgrade of
Advanced Guestbook 2.2 to 2.3.2?
And shouldn't this be an easy Cpanel upgrade instead of altering code?
Thanks.

Carbonize — GMT

If you redownload the files from this site then all exploits, except the possible useragent one.

Why hasn't this been fixed?

Anonymous — GMT

If there are so many fixes available, why haven't they been implemented in the official release? Is Advanced Guestbook a dead project now?

Anyone care to make a .zip/.tar available of all the files, fixed, so we can easily upgrade our installations without having to make so many edits?

Carbonize — GMT

The only major exploit is the SQL injection exploit in 2.2 that lets you log in to the admin section. This does not exist in 2.3.1 which is the current version. The Cross Site Scripting exploit in 2.3.1 does exist but requires skill to implement and the people that deface guestbooks using the SQL injection are not real hackers but children who found the exploit on a web page. The cross site scripting exploit was silently patched in December by [b]Chi Kien Uong[/b]. Why silently? don't ask me. Advanced Guestbook 2.3.1 has been around for atleast two years now without any sign of an update (except the silent one). I have been working on a project I call The db Guestbook which, at present, is Advanced Guestbook 2.3.1 with a lot of code changes etc. There is a more complete list of changes in the General Discussion forum.

Recently, when I have been bored and going around fixing defaced guestbooks, I have been emailing the webmasters telling them to come here or my forums and fix their guestbooks. A few days ao I started thinking that maybe I should just email them the fixed files to patch the login exploit, XSS exploit and to implement my simple spam filter.

Problem with that is some people get paranoid about strange emails. I know in one case the person posted my email on the Page-Zone Hosting forum asking how I had found their guestbook and if they really had been hacked.

A lot of people seem to have just installed the guestbook and then left it, I don't even think they read it.

To Carbonize

Anonymous — GMT

Just thought you might be interested in this. Lots of interesting information on how sites are XSS hacked and cookies are being stolen.

http://www.waraxe.us/forum-5.html

Is any of this a problem with the Guestbook? It seems that Forums and CMS's are being attacked.

Carbonize — GMT

Not with 2.3.2 it shouldn't be.

SQL Injection

Anonymous — GMT

You probably have already realized/discovered this, but if you enter ')||('a'='a
in the password field, it will give access to the admin bored.
Sorry in advance if this was already covered with the addslashes patch.

Carbonize — GMT

errrrrrrrr no this was an exploit that only existed in 2.2 and 2.3 for which 2.3.1 was released to patch [b]OVER 2 YEARS AGO![/b]

2.3.4 has no known exploits at present and patches the known XSS exploit and the sad/stupid HTML in the useragent exploit.

Guestbook error

Anonymous — GMT

When someone tries to write a message in my guestbook this message appears :
One of the input fields does not seem to be valid.

I am using Advanced Guestbook 2.3.2

www.sykestua.com/gjestebok

Any idea?

Carbonize — GMT

yes download 2.3.4 and replace all your files except admin/config.inc.php

PATCHES FOR KNOWN EXPLOITS IN ADVANCED GUESTBOOK

creiglboyd — GMT

Ok thank you for this is very useful

Re:PATCHES FOR KNOWN EXPLOITS IN ADVANCED GUESTBOOK

Przemek — GMT

next update?

PATCHES FOR KNOWN EXPLOITS IN ADVANCED GUESTBOOK

Carbonize — GMT

Probably never since there hasn't been one in over a decade.

Re:PATCHES FOR KNOWN EXPLOITS IN ADVANCED GUESTBOOK

Oliver_queen — GMT

[url=https://www.urgenthomework.com/mechanical-help][u][b]Mechanical Engineering Assignment Help[/b][/u][/url]
Mechanical engineering is one of the most important branches of engineering. This is because anything that moves in this world is most likely related to the mechanical engineering. The mathematics and physics used in the branch are very tough and often makes student lose marks as they are not able to complete. Also, the other topics like thermodynamics, the strength of materials, etc. make students study more as they need to learn all the topics to get good marks in their examination. The assignments tend to put extra pressure on their students which is generally not good for their health. To reduce this pressure on students, we at Urgent Homework Help provide online assignment help to students in mechanical engineering under Mechanical Engineering Assignment Help. We have experts who can take care of your assignments while you concentrate on your studies. To know more about us visit our website.

Re:PATCHES FOR KNOWN EXPLOITS IN ADVANCED GUESTBOOK

thomassingh45 — GMT

I understand but why isnt´t it fixed in the download section of 2.3.1 ??

[size=1][url=https://hellodear.in/net-banking-guide/]netbanking login[/url]

[url=https://teatv.ltd/dl/]Tea tv[/url][/size]