PATCHES FOR KNOWN EXPLOITS IN ADVANCED GUESTBOOK

DISABLE HTML IN POSTS TO PREVENT YOUR GUESTBOOK BEING DEFACED!

Advanced Guestbook 2.2 login exploit fix (also needed if you put your 2.2. session.class.php file in to 2.3.1)

Open your lib/session.class.php and locate

and replace it with
You can also download this file pre patched from www.carbonize.co.uk/AG/

Possible useragent cross site scripting exploit

Open up lib/add.class.php. Find oth occurences ofand replace them with

URI Cross Site Scripting Exploit

Open up index.php and fineadd under itThis occurs twice in the file so edit both. I don't believe this is the best fix and I also believe a better fix was implemented silently into 2.3.1 recently but I need to check on that one.

Any solution for all the spambots? This guestbook is a oneclick install on the hosting server I use, so I have it on dozens of sites that I maintain, and all of them are getting spam entries regularly...

Read this - http://proxy2.de/forum/viewtopic.php?t=4239 it's listed on there. Hopefully the copy supplied by your hosts hasn't been altered to much.

URI Cross Site Scripting Exploit

Open up index.php and fine$entry = (isset($HTTP_POST_VARS["entry"])) ? $HTTP_POST_VARS["entry"] : $entry;add under it$entry = htmlspecialchars ($entry);This occurs twice in the file so edit both. I don't believe this is the best fix and I also believe a better fix was implemented silently into 2.3.1 recently but I need to check on that one.

Implementing the fixes listed in this sticky post.

I could only find 1 entry for the above fix.

This is my index.php file with the fix entered. Will this be okay or have I got an index.php file that is not up to date or tampered with?

It does actually appear twice. If you are using 2.3.1 and haven't altered the files I recommend downloading it again and replacing your files with the new ones as he has patched this exploit but forgot to mention it.

Hi,

why isn´t the download file corrected ??

I have downloaded the version 2.3.1 a few minutes ago and I had to make every cahnge you describe here ....

Regards

Or is the fix really only for 2.2 ??

Regards

I should of been clearer. He has only patched the URI Cross Site Scripting Exploit.

I mean the whole Guestbook ....

I made all three changes.

Is it ok ??

Regards

For example:

in lib/session.class.php of 2.3.1 is in it:

and not

Why not ??

At top of this thread you wrote, that we only shoud cahnge this, when we use the old file from 2.2 but it is also in 2.3.1 ....

Regards

Because in the top bit of code I can login to your admin section using the 2.2 login exploit where as the bottom bit prevents this.

Yes, I understand but why isnt´t it fixed in the download section of 2.3.1 ??

Regards

The script now adds the slashes in the checkPass function. Why they have not changed the version number I don't know. If you look at the 2.3.1 files now you can see that some of the files were modified on 3rd December 2004. This is one of the reasons that I restarted my update. I will send a copy of 2.3.2 to the webmaster wehen it is complete.

Do I need to do this if my current install is the 2.3.1 ?
Are all of these fixes for 2.2 or only the first fix in the first post of this thread?

thanks
mark

this is where it gets confusing because the webmaster updated the scripts but left it as 2.3.1. Anyway if you downloaded 2.3.1 after Christmas then you only have to worry about the second one. If you downloaded it befoer then you need to do the second and third one although I think I will rewrite the last one as the webmasters method is better.