If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Guestbook 2.2 Security Issue - Hackers Can Easily Exploit  XML
Forum Index » Support Forum
Author Message
Trevor
Student
[Avatar]

Joined: 17/06/2004 02:53:11
Messages: 67
Location: UK
Offline

INTRO
Thought I'd post this as it's an important security issue for anyone with Advanced Guestbook version 2.2. Basically the problem is that these guestbooks are extremely easy to hack into.

I've written this in simple language so everyone can understand it - hopefully (sounds better than the truthful reason which is that I'm not at all technical).

HOW EASY IS IT TO HACK?
I've just visited about 20 guestbooks and got straight into the majority of them. Only one or two had taken steps to address the vulnerability and several had already been targetted by malicious hackers. (Don't worry - I didn't do anything except mail the webmaster with suggestions and offer to repair hacked guestbooks).

HOW DO THEY GET HACKED?
Very easily - 'nuff said.

WHAT DO THE HACKERS DO?
Depends, pretty much what they want. Of the ones I've just visited that were hacked, there was the usual display or pro and anti slogans, adverts and URLs for questionable sites and a young man displaying his affections for the lady of his life by hacking sites and professing his love for her.

CAN A HACKED SITE BE FIXED?
Again - it depends. If the entries have been deleted and the coding screwed around with then no, if it's just a case of changed settings then usually yes.

HOW CAN IT BE FIXED?
First thing is to regain access (as mentioned - passwords and usernames are often changed), with access restored it may simply be a case of deleting the offending entries and resetting changes that have been made.

HOW TO REGAIN ACCESS
Problem - if I say how it's done then less scrupulous people could use it for malicious pruposes.
Solution 1 - Search this forum, it's a subject that's been covered many times.
Solution 2 - If that fails send me an email to guestbook at kahlil dot org and I'll have a go at doing it for you. Then just login using the new username and password and off you go. You'll need to tell me the URL of the guestbook, once accessed (if it can be done), I'll mail you back with the new username and password which you can then change to whatever.

PREVENTING HACKERS IN THE FIRST PLACE

UPGRADE TO VERSION 2.3.1 IF YOU CAN, this is more secure and addresses other problems with version 2.2. Info about upgrading is here <<<http://proxy2.de/forum/viewtopic.php?t=2595>>>

If you can't upgrade or want to make version 2.3.1 more secure then here's some suggestions (search this site for more detailed info)...

Carbonize has an excellent forum on his site including a very simple yet effective fix for the version 2.2 exploit... <<<http://www.carbonize.co.uk/Board/viewforum.php?f=10>>>

Here's another fix for version 2.2. but it's more complicated...<<<http://proxy2.de/forum/viewtopic.php?t=3283>>>

Check out the following post by Carbonize, it adds another layer to the password security in version 2.2 and is an easy and effective solution...<<<http://proxy2.de/forum/viewtopic.php?t=3343>>>

Ptotect your files with .htaccess - there's a tutorial on the subject here... <<<http://httpd.apache.org/docs/howto/htaccess.html>>>

There's a security patch courtesy of Becki which you can get here... <<<http://www.beckspaced.com/gb_fix/index.php>>>, it's designed for 2.3.1 so I don't know how well (if at all) it will work with 2.2.

Perhaps the easiest way for a hacker to find a guestbook is via a search engine so consider blocking search-bots in your robots.txt file. More about robots.txt files here... <<<http://www.robotstxt.org/wc/exclusion.html>>>

Most hackers will target the file called admin.php so think about renaming it, you'll have to change anything that links to it and I don't know how big a job that is.

Remove the 'administration' link from the top of the guestbook pages. There's two pages to change, one's called body.php and the other is form.php, both are in the templates folder. For both pages look for the following...



...and either delete it or comment it out (you could also keep it in and mess about creating transparent gif's and null messages).

THE BIT AT THE END
Several options to go at, using one or more of them should make your guestbook more secure. I'd say that if you can upgrade to version 2.3.1 then go for it but if you can't then get some security in place before it's too late.

That's it.

Trevor
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

Thanks Trevor. At least you have the patience to post something like that. Which was very good BTW. Me I just get tired of reading the same old questions all the time when people dont bother to do a search.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Trevor
Student
[Avatar]

Joined: 17/06/2004 02:53:11
Messages: 67
Location: UK
Offline

Hi JTD,

I know what you mean. I think some people come on here, don't read any posts, submit their own question and expect a dozen replies within 5 minutes. I don't mind spending a bit of time writing these things if it helps people.

What I can't get over is a) how easy it is to hack into guestbooks and b) the number of people who've done nothing about it.

All the best,

Trevor
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

Hey I know what you mean. I have spent hrs upon hrs fixing hacked guestbooks. Only to come back the next day and find them hacked again. And as to people not doing a search on the forums. I have seen new post's and right under them an older post with the same question with the answer.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Anonymous



you know whats funny, i am reading this thread and i see "Trevor" which is my name, and "JTD" which are my initials "Joseph Trevor Duke" lol!
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

JTD stands for Jas and Tashas Daddy.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
 
Forum Index » Support Forum
Go to:   
Based on the open source JForum