Advanced Guestbook 2.2 -- SQL Injection Exploit

I found out that Advanced Guestbook 2.2 appears vulnerable to SQL Injection granting the attacker administrator access. The attack is very simple and consists of inputting a special password string leaving the username entry blank:

So I suggest you upgrade to the latest version.

This guestbook is very hackable. Yesterday as a matter of fact, some guy in poland hacked the guestbook which gave him the ability to change and remove files off my webserver. He was a persistant little bugger. He made my day very interesting. The guys name is Andrzej Bilski <3tc69@wp.pl> from http://republika.pl. So just watch out, it'll make your day very interesting.

How exploitable is the latest version - 2.3.1?

No kown exploits yet (as far as I know).

hello,

hmh ... i'm not sure if the version 2.3.1 isn't open for the exploit with the empty username and the password ') OR ('a' = 'a

well ... i mean even http://proxy2.de/guestbook/admin.php is secured with a .htaccess file !! there must be a reason for it, isn't it ??

i could gain access on SOME guestbooks on the internet runing the version 2.3.1 .... but this wasn't possible EVERY time ! sometimes the exploit just worked and other times it doesn't !! strange behaviour

anyway ... developed a security patch for this exploit a couple of days ago and just thought it might be worth posting here and let other people know about

sooo ...check out this link => http://www.beckspaced.com/gb_fix/index.php

hope this helps a bit

all the best
becki

So waht you are saying is just double password and login protect it. Correct??? Also does your patch work on version 2.2???

so what am I trying to say ?? everything quite easy

first go and read all the stuff written at http://www.beckspaced.com/gb_fix/index.php ! there's all the info you should need

then ... you don't need to double protect your guestbook ! just decide for which you want to go >

1.) protect via .htaccess file
2.) install the patch !

either one of those should work fine

about the version i'm not sure

i just downloaded the latest version from http://proxy2.de and therefore i suppose it's version 2.3.1 !!

as i don't have any older version like 2.2 i don't recmommend to install the patch on a 2.2 version ! better upgrade to 2.3.1 and then install the patch !

or pass me the old 2.2. version so i can have a look on how to secure this thing

hope this helps
becki

Seems the Exploit was posible thru a bug in the php version you use.
So if your hosting company has the latest version than the bug doesn't work.

I've just done a search on Google for "advanced guestbook 2.2" and every site i found I could log in on. Some had been hacked so I fixed them and I cleaned up the spam in others. I am running 2.3.1 on PHP 4.3.4 so I am safe as this seems to have fixed the magic quotes problem. I would highly recommend updating to 2.3.1 and hassling your webhost about updating their PHP version. In the meantime I suggest either protecting your admin.php with .htaccess as has been suggested or simply renaming it and removing the link to it from the guestbook. After all if they can't find it they can't exploit it.

well ... also went on a search on google.com a while ago and searched for guestbooks open for the exploit !
then i also found some version 2.3.1 guestbooks runing PHP version up to 4.3.7 which were still open for the exploit !!!

also posted a bug report on http://bugs.php.net/bug.php?id=28906 but so far this report is still OPEN !! for weeks now

so .. protect your admin.php file with .htaccess file ..... or rename it ... not a good solution .... or install the patch which can be found at http://www.beckspaced.com/gb_fix/index.php

in the meantime .. have fun & enjoy life to its best

becki

Hmmm I don't have a copy of 2.2 but I wonder if we couldn't put in a simple

or more likely look for "') OR ('a' = 'a" in the supplied password or trim($password)

I have just set my guestbook up to post a nice message if anyone tries to use the exploit password

it also logs their details.

Hi guys, was reading through some of these hacking posts....

Mine was just hacked as well:

http://www.bluetongueskinks.net/guestbook

Someone told me to just go with dreambook... Or should I upgrade, and the problem will be solved? What would you guys suggest, I'm not even sure how to upgrade.

Thanks a lot for any help... I'm sure you get tired of the same questions... Sorry..

Trevor has supplied the info here:

http://proxy2.de/forum/viewtopic.php?t=3475