If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
PATCHES FOR KNOWN EXPLOITS IN ADVANCED GUESTBOOK  XML
Forum Index » Support Forum
Author Message
yonnermark
Beginner

Joined: 01/03/2005 00:47:29
Messages: 13
Offline

i made the 2nd and 3rd changes just in case
There's no point me chaning the 1st is there as I have 2.3.1

thanks
mark
Anonymous



Is there a "final" or complete post with the changes for upgrade of
Advanced Guestbook 2.2 to 2.3.2?
And shouldn't this be an easy Cpanel upgrade instead of altering code?
Thanks.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4291
Location: Bristol, UK
Offline

If you redownload the files from this site then all exploits, except the possible useragent one.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



If there are so many fixes available, why haven't they been implemented in the official release? Is Advanced Guestbook a dead project now?

Anyone care to make a .zip/.tar available of all the files, fixed, so we can easily upgrade our installations without having to make so many edits?
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4291
Location: Bristol, UK
Offline

The only major exploit is the SQL injection exploit in 2.2 that lets you log in to the admin section. This does not exist in 2.3.1 which is the current version. The Cross Site Scripting exploit in 2.3.1 does exist but requires skill to implement and the people that deface guestbooks using the SQL injection are not real hackers but children who found the exploit on a web page. The cross site scripting exploit was silently patched in December by Chi Kien Uong. Why silently? don't ask me. Advanced Guestbook 2.3.1 has been around for atleast two years now without any sign of an update (except the silent one). I have been working on a project I call The db Guestbook which, at present, is Advanced Guestbook 2.3.1 with a lot of code changes etc. There is a more complete list of changes in the General Discussion forum.

Recently, when I have been bored and going around fixing defaced guestbooks, I have been emailing the webmasters telling them to come here or my forums and fix their guestbooks. A few days ao I started thinking that maybe I should just email them the fixed files to patch the login exploit, XSS exploit and to implement my simple spam filter.

Problem with that is some people get paranoid about strange emails. I know in one case the person posted my email on the Page-Zone Hosting forum asking how I had found their guestbook and if they really had been hacked.

A lot of people seem to have just installed the guestbook and then left it, I don't even think they read it.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



Just thought you might be interested in this. Lots of interesting information on how sites are XSS hacked and cookies are being stolen.

http://www.waraxe.us/forum-5.html

Is any of this a problem with the Guestbook? It seems that Forums and CMS's are being attacked.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4291
Location: Bristol, UK
Offline

Not with 2.3.2 it shouldn't be.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



You probably have already realized/discovered this, but if you enter ')||('a'='a
in the password field, it will give access to the admin bored.
Sorry in advance if this was already covered with the addslashes patch.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4291
Location: Bristol, UK
Offline

errrrrrrrr no this was an exploit that only existed in 2.2 and 2.3 for which 2.3.1 was released to patch OVER 2 YEARS AGO!

2.3.4 has no known exploits at present and patches the known XSS exploit and the sad/stupid HTML in the useragent exploit.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



When someone tries to write a message in my guestbook this message appears :
One of the input fields does not seem to be valid.

I am using Advanced Guestbook 2.3.2

www.sykestua.com/gjestebok

Any idea?
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4291
Location: Bristol, UK
Offline

yes download 2.3.4 and replace all your files except admin/config.inc.php

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
creiglboyd
Newbie

Joined: 09/02/2011 22:17:00
Messages: 4
Offline

Ok thank you for this is very useful
Przemek
Newbie

Joined: 02/11/2016 16:10:18
Messages: 2
Offline

next update?
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4291
Location: Bristol, UK
Offline

Probably never since there hasn't been one in over a decade.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
notresponding
Newbie

Joined: 21/11/2017 09:00:43
Messages: 1
Offline

For any type of fixes related to the not responding problem, you can visit our website at Spotify application not responding
[WWW]
 
Forum Index » Support Forum
Go to:   
Based on the open source JForum