New hack for version 2.3.1

The following code was submitted to my guesbook (version 2.3.1) which allowed a hacker to take over the index.php page:

r00t_System
<div id=\"post\" style=\"position: absolute; top: 0; left: 0; width: 1024; height: 2500; z-index: 1; overflow: auto\"> <table border=\"0\" width=\"100%\" bgcolor=\"#000000\" height=\"100%\" cellspacing=\"5\" cellpadding=\"5\" valign=\"top\"><tr><td width=\"100%\" valign=\"top\">
<font style=\"color: #ffffff\">    r00t_System ownz here by M<u>aMa </u><br><br>    #rsy - irc.gigachat.net - olinuxbrasil@bol.com.br<br><img src=\"http://www.regionofdoomforum.com/Upload/userfiles/r00t/r00t.jpg\" border=0\">
<br>admin attention on configuration!</font></td></tr></table></div>

When I looked at the source code on that particular page, I saw the following code:

<a href="admin.php?action=edit&tbl=gb&id=164&record=123&session=7fcc9a9fbecadc97ff8cb1ef8fb88d1b&uid=1">edit</a><br>
<a href="admin.php?action=del&tbl=gb&id=164&session=7fcc9a9fbecadc97ff8cb1ef8fb88d1b&uid=1">delete</a>

Is there a fix for this. I was able to regain the page through the php control panel but I'd rather not have to do that again.

Please reply to kenroar at yahoo.com

I found another sample of this hack at http://www.stadiumguide.com/guestbook/

Apparently this individual is searching out all html enabled guestbooks with version 2.3.1

Some hackers search these forums, so it's not a good idea to put the actual code here.

Also, if you have an account, you can edit a post, but I don't think guests can do that.

The Admin does not monitor this site, so I don't think there is any way to delete it.

With that comment the hacker left, "admin attention on configuration", it sounds like
they are warning you to make sure you disable html.

What I really want to know is how they did it. If I know how they did it, I can take precautions. I have not given any write permissions on my templates. Somehow they were able to hijack the page- possibly using html coding in the message box.

If you do a search on r00t_System you will find hundreds of websits this guy has hacked. He has nothing better to do with his time, I guess.

Well, I'm thinking it is because html was enabled. They sent the code in a post.

Carbonize is looking into this to see if that's the case. I assume when he knows for sure he'll let us know.

In the meantime, I would urge everyone to turn off html.

Yup if you allow HTML the guestbook allows ALL HTML.

Carbonize wrote:Yup if you allow HTML the guestbook allows ALL HTML.

To re-iterate that its not like phpBB which blocks ALL HTML tags
and allows only allows certain ones that you specify.

Auron

Yup so can I be bothered writing code to only allow certain HTML or do I remove all HTMLM functionality from the update I am making ?

I think we should forget about html.