If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Guestbook 2.2 exploit fix  XML
Forum Index » Support Forum
Author Message
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Ok after reading some old old threads ( from 2002 ) I decided to grab a copy of the 2.2 session.class.php file ( thanks JTD ). Anyway I think I have a quick fix for 2.2. users but need it to be tested.

THIS FIX HAS BEEN TESTED AND WORKS

Open your lib/session.class.php and locate

and replace it with

Cheers

UPDATE: You can now download a prepatched copy of the sessions.class.php file from www.carbonize.co.uk/AG

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Another bump as I want someone with a live 2.2 installation to test it. Or am I going to end up emailing a site with a hacked guestbook with the fix.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

I think I have someplace for you to test it. Let me check, and I'll get back to you shortly.
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

Okay. Do you want to do this yourself, or do you want me to do it?
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

If you have access to the server then best you do it. It's a simple enough modification. Only problem I can see is if the real password actually contains quotes or certain other symbols.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

You can have access if you want it. This page is under construction, and nothing is critical there. It's one of my subdomains.

So, unless you ask me for access, I will go ahead. Just follow the instructions in your earlier post in this thread?

I was just thinking... (that could prove hazardous :lol You are saying fixing the exploit has to do with the lib/session.class.php file. In the post noted below, some users with the admin loop after upgrading, reverted back to the old lib/session.class.php file. Does this mean they are now vulnerable to the exploit?

http://proxy2.de/forum/viewtopic.php?t=1711&postdays=0&postorder=asc&start=15
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

I'd say that yes they are now vulnerable. I uploaded the 2.2 sessions.class.php file to my 2.3.1 installation while testing this fix and I was vulnerable to it. Best fix for the login loop appars to be www.carbonize.co.uk/install.zip I just need to weed out the syntax bugs in it.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Oh and yes, the fix is as I posted in the first post.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

Okay. I'll try this now.
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

The exploit no longer works!

Invalid username or password. Please try again.

Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Now the big test, can you actually login

As I said above it should work fine but I don't think it will work if the password contains quotes or certain other characters. But then who makes a password with quotes in it ?

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

No problem logging in. I think passwords should only be numbers and letters anyway.
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

Yep! I tried some 2.3.1 guestbooks that I know went back to the old file because they couldn't get out of the admin loop. Now the exploit works on them.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Scary hey. I'll print out the 2.2 session.class.php and the 2.3.1 file to see if I can't find a simple fix tomorrow when again I will be sat here for 12 hours.

Or I may do it now if I stil have the email with the 2.2 file in it.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

I guess I thought this was the "simple fix"? You mean there's more?

Too bad most of the people who did this logged in as guests with no email or web page reference. It appears they aren't interested in keeping up to date on the issues - only returning to the forum if they encounter a major disaster, and then not bothering to search for answers before posting. I'm sure they'll be back when they get hacked.

It would be good if we could get some stickies, like JTD mentioned in another post.
 
Forum Index » Support Forum
Go to:   
Based on the open source JForum