Guestbook 2.2 exploit fix

Ok after reading some old old threads ( from 2002 ) I decided to grab a copy of the 2.2 session.class.php file ( thanks JTD ). Anyway I think I have a quick fix for 2.2. users but need it to be tested.

THIS FIX HAS BEEN TESTED AND WORKS

Open your lib/session.class.php and locate

and replace it with

Cheers

UPDATE: You can now download a prepatched copy of the sessions.class.php file from www.carbonize.co.uk/AG

Another bump as I want someone with a live 2.2 installation to test it. Or am I going to end up emailing a site with a hacked guestbook with the fix.

I think I have someplace for you to test it. Let me check, and I'll get back to you shortly.

Okay. Do you want to do this yourself, or do you want me to do it?

If you have access to the server then best you do it. It's a simple enough modification. Only problem I can see is if the real password actually contains quotes or certain other symbols.

You can have access if you want it. This page is under construction, and nothing is critical there. It's one of my subdomains.

So, unless you ask me for access, I will go ahead. Just follow the instructions in your earlier post in this thread?

I was just thinking... (that could prove hazardous :lol

You are saying fixing the exploit has to do with the lib/session.class.php file. In the post noted below, some users with the admin loop after upgrading, reverted back to the old lib/session.class.php file. Does this mean they are now vulnerable to the exploit?

http://proxy2.de/forum/viewtopic.php?t=1711&postdays=0&postorder=asc&start=15

I'd say that yes they are now vulnerable. I uploaded the 2.2 sessions.class.php file to my 2.3.1 installation while testing this fix and I was vulnerable to it. Best fix for the login loop appars to be www.carbonize.co.uk/install.zip I just need to weed out the syntax bugs in it.

Oh and yes, the fix is as I posted in the first post.

Okay. I'll try this now.

The exploit no longer works!

Invalid username or password. Please try again.

Now the big test, can you actually login

As I said above it should work fine but I don't think it will work if the password contains quotes or certain other characters. But then who makes a password with quotes in it ?

No problem logging in. I think passwords should only be numbers and letters anyway.

Yep! I tried some 2.3.1 guestbooks that I know went back to the old file because they couldn't get out of the admin loop. Now the exploit works on them.

Scary hey. I'll print out the 2.2 session.class.php and the 2.3.1 file to see if I can't find a simple fix tomorrow when again I will be sat here for 12 hours.

Or I may do it now if I stil have the email with the 2.2 file in it.

I guess I thought this was the "simple fix"? You mean there's more?

Too bad most of the people who did this logged in as guests with no email or web page reference. It appears they aren't interested in keeping up to date on the issues - only returning to the forum if they encounter a major disaster, and then not bothering to search for answers before posting. I'm sure they'll be back when they get hacked.

It would be good if we could get some stickies, like JTD mentioned in another post.