If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Patch for new exploit  XML
Forum Index » Support Forum
Author Message
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4291
Location: Bristol, UK
Offline

Ok firstly let me just say that a recently posted "exploit" on Security Focus claiming that peole could exploit the guestbook using the homepage field is incorrect as the guestbook already checks the submitted url.

Anyway whilst disproving this exploit I realised there is an exploit that would require only minor knowledge to perform so I am submitting this patch before anyone else publicises the exploit.

Open up lib/add.class.php. Find oth occurences ofand replace them withNow you are patched.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4291
Location: Bristol, UK
Offline

pre-emptive *bump*

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

Applied patch guestbook working fine. Another good job by carbonize.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Anonymous



Thanks Carbonize - patch inserted - so far, works fine.

I'll let you know if I experience any problems with it.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4291
Location: Bristol, UK
Offline

Well this is a 0 day exploit meaning that it has not been published anywhere else yet to my knowledge. It's not the easiest exploit to actually pull off but better safe than sorry.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Auron
Expert
[Avatar]

Joined: 23/06/2003 22:02:17
Messages: 1053
Offline

*bump*

Visit my site @ www.ragnaru.com
Adv. Poll Install Guide NOW BACK ONLINE! (And also rather out of date I would of thought)
[Email] [WWW]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4291
Location: Bristol, UK
Offline

OK I misread the exploit posted on the security focus site. With the discovery of these two exploits I am going to have to bring forward the release of Advanced Guestbook 2.4. It will not be that major an update but will patch several exploits, add Yahoo & MSN fields, add a third option to gender and some other midnor differences.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

*bump*
Anonymous



applyed patch now looking forward the the update 2.4
 
Forum Index » Support Forum
Go to:   
Based on the open source JForum