Chi Kien Uong
Geranienstraße 30
71034 Böblingen
Deutschland / Germany
|
If you are not registered or logged in, you may still use these forums but with limited features.
Show recent topics
|
|
|
Author |
Message |
|
I am using Guestbook v2.2 on a LAMP server. Periodically I check it for new posts. Today, (June 6, '04), the page displayed only the logo and the sign and admin links, and hung. When I checked the database tables, the data table was intact. However, the config table had been altered. The font_face field had been changed to end the font tag and write an iframe tag leading to another site, where the first action was an attempt to overwrite the browser's "home" setting. Although I have not been able to replicate the table alteration, I believe that the SECURITY HOLE is in the application's use of $_POST_VARS, and their not being validated. I have added a $_SESSION check - redirect, to my guestbook pages to limit it's use to legitimate site visitors. I will next add a preg_replace() to validate the $_POST_VARS. Hope this helps!
|
|
|
|
|
|
Based on the open source JForum
|