Advanced Guestbook Fixes and Mods

*bump*

Great post amber222, thanks!!!

And what about:
http://www.securityfocus.com/bid/11798/exploit/
(or did you already mention it?)

There's fix/workaround there too.

I added (guestbook/index.php)
after
(2x) and it seems to work

but probably their fix is better (adding $entry = htmlspecialchars ($entry);) since I'm not a programmer

BTW: the exploit seems to work on both 2.2. and 2.3.1

PandA.nl wrote:

BTW: the exploit seems to work on both 2.2. and 2.3.1

The sql exploit ony works on 2.3.1 if you have a very outdated version of php.

JTD wrote:The sql exploit ony works on 2.3.1 if you have a very outdated version of php.

That's not what I read, are you sure we're talking about the same thing?

the exploit works on Advanced guestbook 2.2 and 2.3, 2.3.1 was released to fix the exploit. It works on some copies of 2.3.1 because the webmasters have replaced the 2.3.1 session.inc.php file with the one from 2.2. It is also alledged that sometimes the addslashes function of older PHP versions fails.

Aha, thanks for the explanation!

I noticed a strange thing though. I'm using version 2.3.1 i.c.w. PHP 4.3.10 on two guestbooks, HTML disabled, but several times visitors managed to enter url's (spamming type url's) into the messages they added.

This shouldn't be possible is it? I assume <a href="... should be disabled as all other html.

edit: BTW these guestbooks weren't upgraded, so no old files are being used. And, not sure if it's related in anyway but, trying the hack on those guestbooks, a popup appeared (before I added the strip_tags() to the $entry variable, after adding strip_tags() it didn't happen anymore).

AGcode, or as it is more commonly known BBcode, allows the posting of URL's by placing them between url tags as such

[url]http://somesite.com[/url]

I noticed, but it weren't [url]'s, but it really were html anchors like <a href="...

edit: oops, I suppose the [url]'s are translated to href's by the script of course. Sorry about that

Carbonize, when I read this Security Focus bulletin, it sounds like it is talking about an entirely different exploit, not the one that was in 2.2. It says this exploit is found in 2.3.1, and the suggested patch is for the index.php file, not the session.class.php. But it also says the malicious user "could create a link", perhaps this threat does not exist if html is turned off? Even so, I think if it is really an exploit it should be patched even on those books where html is always turned off.

So, could you please take another look and clarify. It sounds like we also need to patch index.php.

basically the email you sent is saying that the contents of that particular field are not checked nor altered and so anything can be put in there. With a little HTML or possibly PHP knowledge they could do small things. Remember the field in question is limited to 40 characters.

Ignore my above post. That so called exploit you sent to me is total crap. It does not exist. I have now emailed the person that submitted it explaining what a moron they are. the guestbook already checks the URL that is submitted using this statementWhich basically says if there is any html characters in the url such as <, > or & then it will not accept the url and removes it from the entry.

Carbonize wrote:if (htmlspecialchars($this->url) != "$this->url") { $this->url = ''; }Which basically says if there is any html characters in the url such as <, > or & then it will not accept the url and removes it from the entry.

Maybe I don't understand what's happening, but before I did the strip_tags() this exploit:

http://www.example.com/index.php?entry=<script>alert(document.cookie)</script>

generated a popup and mysql error, and after I added the strip_tags the popup didn't show anymore (still get a mysql error message). So, allthough it might not be harmfull, it does not look like the html is removed!

No the exploit exists. I have been in touch with the person that posted it and I was confusing the URL input with the actual URI. I think it was actually recently fixed in 2.3.1 but nothing was said as I noticed soem new lines when I downloaded it agan recently.

*BUMP*

*BUMP*

Thank you all for everything

*BUMP*