Main Menu
Our Sponsors
Chi Kien Uong
Geranienstraße 30
71034 Böblingen
Deutschland / Germany
If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register /  [Login] Login 
Patch for new exploit  XML
Forum Index » Support Forum
Author Message
[Post New]22/01/2005 15:11:36
    Subject: Patch for new exploit
[Up]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline
Ok firstly let me just say that a recently posted "exploit" on Security Focus claiming that peole could exploit the guestbook using the homepage field is incorrect as the guestbook already checks the submitted url.

Anyway whilst disproving this exploit I realised there is an exploit that would require only minor knowledge to perform so I am submitting this patch before anyone else publicises the exploit.

Open up lib/add.class.php. Find oth occurences ofand replace them withNow you are patched.
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
[Post New]22/01/2005 17:23:40
    Subject:
[Up]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline
pre-emptive *bump*
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
[Post New]22/01/2005 17:24:04
    Subject:
[Up]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline
Applied patch guestbook working fine. Another good job by carbonize.
LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
[Post New]22/01/2005 23:23:24
    Subject:
[Up]
Anonymous



Thanks Carbonize - patch inserted - so far, works fine.

I'll let you know if I experience any problems with it.
[Post New]23/01/2005 00:05:22
    Subject:
[Up]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline
Well this is a 0 day exploit meaning that it has not been published anywhere else yet to my knowledge. It's not the easiest exploit to actually pull off but better safe than sorry.
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
[Post New]23/01/2005 00:54:24
    Subject:
[Up]
Auron
Expert
[Avatar]

Joined: 23/06/2003 22:02:17
Messages: 1053
Offline
*bump*
Visit my site @ www.ragnaru.com
Adv. Poll Install Guide NOW BACK ONLINE! (And also rather out of date I would of thought)
[Email] [WWW]
[Post New]23/01/2005 01:01:36
    Subject:
[Up]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline
OK I misread the exploit posted on the security focus site. With the discovery of these two exploits I am going to have to bring forward the release of Advanced Guestbook 2.4. It will not be that major an update but will patch several exploits, add Yahoo & MSN fields, add a third option to gender and some other midnor differences.
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
[Post New]24/01/2005 20:35:12
    Subject:
[Up]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline
*bump*
[Post New]26/01/2005 18:04:40
    Subject:
[Up]
Anonymous



applyed patch now looking forward the the update 2.4
 
Forum Index » Support Forum
Go to:   
Based on the open source JForum