If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Advanced Guestbook 2.2 -- SQL Injection Exploit  XML
Forum Index » General Discussion
Author Message
Jam'n
Graduate
[Avatar]

Joined: 07/01/2003 17:31:39
Messages: 166
Location: Netherlands
Offline

I found out that Advanced Guestbook 2.2 appears vulnerable to SQL Injection granting the attacker administrator access. The attack is very simple and consists of inputting a special password string leaving the username entry blank:

So I suggest you upgrade to the latest version.

Jam'n


------------------------------------------------

Only the man who's truly educated
understands that he knows very little...

------------------------------------------------
[WWW]
xavior93
Newbie

Joined: 27/04/2004 19:54:25
Messages: 1
Location: United States
Offline

This guestbook is very hackable. Yesterday as a matter of fact, some guy in poland hacked the guestbook which gave him the ability to change and remove files off my webserver. He was a persistant little bugger. He made my day very interesting. The guys name is Andrzej Bilski <3tc69@wp.pl> from http://republika.pl. So just watch out, it'll make your day very interesting.
[WWW]
fireman949
Newbie

Joined: 04/05/2004 18:03:02
Messages: 2
Offline

How exploitable is the latest version - 2.3.1?
Jam'n
Graduate
[Avatar]

Joined: 07/01/2003 17:31:39
Messages: 166
Location: Netherlands
Offline

No kown exploits yet (as far as I know).

Jam'n


------------------------------------------------

Only the man who's truly educated
understands that he knows very little...

------------------------------------------------
[WWW]
becki
Newbie
[Avatar]

Joined: 09/07/2004 20:07:12
Messages: 4
Offline

hello,

hmh ... i'm not sure if the version 2.3.1 isn't open for the exploit with the empty username and the password ') OR ('a' = 'a

well ... i mean even http://proxy2.de/guestbook/admin.php is secured with a .htaccess file !! there must be a reason for it, isn't it ??

i could gain access on SOME guestbooks on the internet runing the version 2.3.1 .... but this wasn't possible EVERY time ! sometimes the exploit just worked and other times it doesn't !! strange behaviour

anyway ... developed a security patch for this exploit a couple of days ago and just thought it might be worth posting here and let other people know about

sooo ...check out this link => http://www.beckspaced.com/gb_fix/index.php

hope this helps a bit

all the best
becki
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

So waht you are saying is just double password and login protect it. Correct??? Also does your patch work on version 2.2???

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
becki
Newbie
[Avatar]

Joined: 09/07/2004 20:07:12
Messages: 4
Offline

so what am I trying to say ?? everything quite easy first go and read all the stuff written at http://www.beckspaced.com/gb_fix/index.php ! there's all the info you should need

then ... you don't need to double protect your guestbook ! just decide for which you want to go >

1.) protect via .htaccess file
2.) install the patch !

either one of those should work fine

about the version i'm not sure i just downloaded the latest version from http://proxy2.de and therefore i suppose it's version 2.3.1 !!

as i don't have any older version like 2.2 i don't recmommend to install the patch on a 2.2 version ! better upgrade to 2.3.1 and then install the patch !

or pass me the old 2.2. version so i can have a look on how to secure this thing

hope this helps
becki
Jam'n
Graduate
[Avatar]

Joined: 07/01/2003 17:31:39
Messages: 166
Location: Netherlands
Offline

Seems the Exploit was posible thru a bug in the php version you use.
So if your hosting company has the latest version than the bug doesn't work.

Jam'n


------------------------------------------------

Only the man who's truly educated
understands that he knows very little...

------------------------------------------------
[WWW]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4289
Location: Bristol, UK
Offline

I've just done a search on Google for "advanced guestbook 2.2" and every site i found I could log in on. Some had been hacked so I fixed them and I cleaned up the spam in others. I am running 2.3.1 on PHP 4.3.4 so I am safe as this seems to have fixed the magic quotes problem. I would highly recommend updating to 2.3.1 and hassling your webhost about updating their PHP version. In the meantime I suggest either protecting your admin.php with .htaccess as has been suggested or simply renaming it and removing the link to it from the guestbook. After all if they can't find it they can't exploit it.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
becki
Newbie
[Avatar]

Joined: 09/07/2004 20:07:12
Messages: 4
Offline

well ... also went on a search on google.com a while ago and searched for guestbooks open for the exploit !
then i also found some version 2.3.1 guestbooks runing PHP version up to 4.3.7 which were still open for the exploit !!!

also posted a bug report on http://bugs.php.net/bug.php?id=28906 but so far this report is still OPEN !! for weeks now

so .. protect your admin.php file with .htaccess file ..... or rename it ... not a good solution .... or install the patch which can be found at http://www.beckspaced.com/gb_fix/index.php

in the meantime .. have fun & enjoy life to its best

becki
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4289
Location: Bristol, UK
Offline

Hmmm I don't have a copy of 2.2 but I wonder if we couldn't put in a simple


Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4289
Location: Bristol, UK
Offline

or more likely look for "') OR ('a' = 'a" in the supplied password or trim($password)

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4289
Location: Bristol, UK
Offline

I have just set my guestbook up to post a nice message if anyone tries to use the exploit password it also logs their details.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Ktoadd
Newbie

Joined: 12/08/2004 04:14:20
Messages: 2
Offline

Hi guys, was reading through some of these hacking posts....

Mine was just hacked as well:

http://www.bluetongueskinks.net/guestbook

Someone told me to just go with dreambook... Or should I upgrade, and the problem will be solved? What would you guys suggest, I'm not even sure how to upgrade.

Thanks a lot for any help... I'm sure you get tired of the same questions... Sorry..
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

Trevor has supplied the info here:

http://proxy2.de/forum/viewtopic.php?t=3475
 
Forum Index » General Discussion
Go to:   
Based on the open source JForum