Patch for new exploit

[Carbonize]

Ok firstly let me just say that a recently posted "exploit" on Security Focus claiming that peole could exploit the guestbook using the homepage field is incorrect as the guestbook already checks the submitted url.

Anyway whilst disproving this exploit I realised there is an exploit that would require only minor knowledge to perform so I am submitting this patch before anyone else publicises the exploit.

Open up lib/add.class.php. Find oth occurences of

[Carbonize]

pre-emptive *bump*
_________________
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus

[JTD]

Applied patch guestbook working fine. Another good job by carbonize.
_________________
LINK-> Use Lazarus Guestbook

[Guest]

Thanks Carbonize - patch inserted - so far, works fine.

I'll let you know if I experience any problems with it.

[Carbonize]

Well this is a 0 day exploit meaning that it has not been published anywhere else yet to my knowledge. It's not the easiest exploit to actually pull off but better safe than sorry.
_________________
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus

[Auron]

*bump*
_________________
Visit my site @ www.ragnaru.com
Adv. Poll Install Guide NOW BACK ONLINE! (And also rather out of date I would of thought)

[Carbonize]

OK I misread the exploit posted on the security focus site. With the discovery of these two exploits I am going to have to bring forward the release of Advanced Guestbook 2.4. It will not be that major an update but will patch several exploits, add Yahoo & MSN fields, add a third option to gender and some other midnor differences.
_________________
Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus

[amber222]

*bump*

[Guest]

applyed patch now looking forward the the update 2.4