If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Advanced Guestbook Fixes and Mods  XML
Forum Index » Support Forum
Author Message
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

*bump*
PandA.nl
Newbie

Joined: 19/01/2005 10:25:48
Messages: 4
Location: Netherlands
Offline

Great post amber222, thanks!!!

And what about:
http://www.securityfocus.com/bid/11798/exploit/
(or did you already mention it?)

There's fix/workaround there too.

I added (guestbook/index.php)
after
(2x) and it seems to work

but probably their fix is better (adding $entry = htmlspecialchars ($entry);) since I'm not a programmer

BTW: the exploit seems to work on both 2.2. and 2.3.1
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

PandA.nl wrote:

BTW: the exploit seems to work on both 2.2. and 2.3.1


The sql exploit ony works on 2.3.1 if you have a very outdated version of php.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Anonymous



JTD wrote:The sql exploit ony works on 2.3.1 if you have a very outdated version of php.
That's not what I read, are you sure we're talking about the same thing?
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

the exploit works on Advanced guestbook 2.2 and 2.3, 2.3.1 was released to fix the exploit. It works on some copies of 2.3.1 because the webmasters have replaced the 2.3.1 session.inc.php file with the one from 2.2. It is also alledged that sometimes the addslashes function of older PHP versions fails.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
PandA.nl
Newbie

Joined: 19/01/2005 10:25:48
Messages: 4
Location: Netherlands
Offline

Aha, thanks for the explanation!

I noticed a strange thing though. I'm using version 2.3.1 i.c.w. PHP 4.3.10 on two guestbooks, HTML disabled, but several times visitors managed to enter url's (spamming type url's) into the messages they added.

This shouldn't be possible is it? I assume <a href="... should be disabled as all other html.

edit: BTW these guestbooks weren't upgraded, so no old files are being used. And, not sure if it's related in anyway but, trying the hack on those guestbooks, a popup appeared (before I added the strip_tags() to the $entry variable, after adding strip_tags() it didn't happen anymore).
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

AGcode, or as it is more commonly known BBcode, allows the posting of URL's by placing them between url tags as such

[url]http://somesite.com[/url]

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
PandA.nl
Newbie

Joined: 19/01/2005 10:25:48
Messages: 4
Location: Netherlands
Offline

I noticed, but it weren't [url]'s, but it really were html anchors like <a href="...

edit: oops, I suppose the [url]'s are translated to href's by the script of course. Sorry about that
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

Carbonize, when I read this Security Focus bulletin, it sounds like it is talking about an entirely different exploit, not the one that was in 2.2. It says this exploit is found in 2.3.1, and the suggested patch is for the index.php file, not the session.class.php. But it also says the malicious user "could create a link", perhaps this threat does not exist if html is turned off? Even so, I think if it is really an exploit it should be patched even on those books where html is always turned off.

So, could you please take another look and clarify. It sounds like we also need to patch index.php.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

basically the email you sent is saying that the contents of that particular field are not checked nor altered and so anything can be put in there. With a little HTML or possibly PHP knowledge they could do small things. Remember the field in question is limited to 40 characters.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Ignore my above post. That so called exploit you sent to me is total crap. It does not exist. I have now emailed the person that submitted it explaining what a moron they are. the guestbook already checks the URL that is submitted using this statementWhich basically says if there is any html characters in the url such as <, > or & then it will not accept the url and removes it from the entry.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
PandA.nl
Newbie

Joined: 19/01/2005 10:25:48
Messages: 4
Location: Netherlands
Offline

Carbonize wrote:Which basically says if there is any html characters in the url such as <, > or & then it will not accept the url and removes it from the entry.


Maybe I don't understand what's happening, but before I did the strip_tags() this exploit:
http://www.example.com/index.php?entry=<script>alert(document.cookie)</script>
generated a popup and mysql error, and after I added the strip_tags the popup didn't show anymore (still get a mysql error message). So, allthough it might not be harmfull, it does not look like the html is removed!
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

No the exploit exists. I have been in touch with the person that posted it and I was confusing the URL input with the actual URI. I think it was actually recently fixed in 2.3.1 but nothing was said as I noticed soem new lines when I downloaded it agan recently.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

*BUMP*

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Anonymous



*BUMP*

Thank you all for everything

*BUMP*

 
Forum Index » Support Forum
Go to:   
Based on the open source JForum