If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
PATCHES FOR KNOWN EXPLOITS IN ADVANCED GUESTBOOK  XML
Forum Index » Support Forum
Author Message
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

DISABLE HTML IN POSTS TO PREVENT YOUR GUESTBOOK BEING DEFACED!

Advanced Guestbook 2.2 login exploit fix (also needed if you put your 2.2. session.class.php file in to 2.3.1)

Open your lib/session.class.php and locate

and replace it with
You can also download this file pre patched from www.carbonize.co.uk/AG/

Possible useragent cross site scripting exploit

Open up lib/add.class.php. Find oth occurences ofand replace them with

URI Cross Site Scripting Exploit

Open up index.php and fineadd under itThis occurs twice in the file so edit both. I don't believe this is the best fix and I also believe a better fix was implemented silently into 2.3.1 recently but I need to check on that one.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



Any solution for all the spambots? This guestbook is a oneclick install on the hosting server I use, so I have it on dozens of sites that I maintain, and all of them are getting spam entries regularly...
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Read this - http://proxy2.de/forum/viewtopic.php?t=4239 it's listed on there. Hopefully the copy supplied by your hosts hasn't been altered to much.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



URI Cross Site Scripting Exploit

Open up index.php and fineadd under itThis occurs twice in the file so edit both. I don't believe this is the best fix and I also believe a better fix was implemented silently into 2.3.1 recently but I need to check on that one.


Implementing the fixes listed in this sticky post.

I could only find 1 entry for the above fix.

This is my index.php file with the fix entered. Will this be okay or have I got an index.php file that is not up to date or tampered with?

Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

It does actually appear twice. If you are using 2.3.1 and haven't altered the files I recommend downloading it again and replacing your files with the new ones as he has patched this exploit but forgot to mention it.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



Hi,

why isn´t the download file corrected ??

I have downloaded the version 2.3.1 a few minutes ago and I had to make every cahnge you describe here ....

Regards
Anonymous



Or is the fix really only for 2.2 ??

Regards
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

I should of been clearer. He has only patched the URI Cross Site Scripting Exploit.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



I mean the whole Guestbook ....

I made all three changes.

Is it ok ??

Regards
Anonymous



For example:

in lib/session.class.php of 2.3.1 is in it:



and not



Why not ??

At top of this thread you wrote, that we only shoud cahnge this, when we use the old file from 2.2 but it is also in 2.3.1 ....

Regards
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Because in the top bit of code I can login to your admin section using the 2.2 login exploit where as the bottom bit prevents this.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



Yes, I understand but why isnt´t it fixed in the download section of 2.3.1 ??

Regards
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

The script now adds the slashes in the checkPass function. Why they have not changed the version number I don't know. If you look at the 2.3.1 files now you can see that some of the files were modified on 3rd December 2004. This is one of the reasons that I restarted my update. I will send a copy of 2.3.2 to the webmaster wehen it is complete.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
yonnermark
Beginner

Joined: 01/03/2005 00:47:29
Messages: 13
Offline

Do I need to do this if my current install is the 2.3.1 ?
Are all of these fixes for 2.2 or only the first fix in the first post of this thread?

thanks
mark
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

this is where it gets confusing because the webmaster updated the scripts but left it as 2.3.1. Anyway if you downloaded 2.3.1 after Christmas then you only have to worry about the second one. If you downloaded it befoer then you need to do the second and third one although I think I will rewrite the last one as the webmasters method is better.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
 
Forum Index » Support Forum
Go to:   
Based on the open source JForum