Guestbook 2.2 exploit fix

No the fix in the first post is the fix for the exploit. I was refering to the login loop problem. I think it is down to the entry type of the last_visit entry in the auth table of the database. It needs converting from TIMESTAMP to INT, or the other way round, can't remember right now.

Just checked my install file and it is indeed from TIMESTAMP to INT

Why don't you just protect the admin.php with an .htaccess file? It is the easiest fix. Anyone who cares enough to try to crack .htaccess can just have my guestbook for all I care.

Because not all hosts allow you to use .htaccess files. Also it can be annoying having to login twice.

trevorduke wrote:Why don't you just protect the admin.php with an .htaccess file? It is the easiest fix. Anyone who cares enough to try to crack .htaccess can just have my guestbook for all I care.

Well some of us have done alot of work to are guestbooks. And dont care to see them ruined.

Bumped cos this is important for anyone running Adv GB 2.2.

Maybe a stupid question but i cant fin lib/session.class.php, where do i find it?

Carbonize wrote:Ok after reading some old old threads ( from 2002 ) I decided to grab a copy of the 2.2 session.class.php file ( thanks JTD ). Anyway I think I have a quick fix for 2.2. users but need it to be tested.

THIS FIX HAS BEEN TESTED AND WORKS

Open your lib/session.class.php and locate if (get_magic_quotes_gpc()) { $username = stripslashes($username); $password = stripslashes($password);

and replace it with if (!get_magic_quotes_gpc()) { $username = addslashes($username); $password = addslashes($password);

Cheers

In your guestbook folder. In the guestbook folder should be a folder called lib and in that a file called sessions.class.php. That is unless your host supplied the script in which case god knows how much they have mangled it.

I found it now, it was me that have forget that its called forum on my server and not guestbook. Thank for the help.

Carbonize wrote:In your guestbook folder. In the guestbook folder should be a folder called lib and in that a file called sessions.class.php. That is unless your host supplied the script in which case god knows how much they have mangled it.

will you guys QUIT with the bumps already!

thats just annoying. so does advanced guestbook 2.3.1 (latest) have the "hacked by blabla" fix? because my Advanced Guestbook 2.2 did..

also a suggestion for future versions...
make the text color for the background different
then the textcolor used inside the guestbook.

some of us use a background OTHER THEN WHITE ya know

otherwise I like the default colors, I just don't like the
white background color, hurts my eyes terribly.
so I changed it to 1E3C00, which is a hunter green color,
but if I change the text color of the guestbook, it also
changes the color of the text outside the guestbook to the same color,
which is annoying as heck.

thanks

bubazoo wrote:will you guys QUIT with the bumps already!

thats just annoying. so does advanced guestbook 2.3.1 (latest) have the "hacked by blabla" fix? because my Advanced Guestbook 2.2 did..

also a suggestion for future versions...
make the text color for the background different
then the textcolor used inside the guestbook.

some of us use a background OTHER THEN WHITE ya know
otherwise I like the default colors, I just don't like the
white background color, hurts my eyes terribly.
so I changed it to 1E3C00, which is a hunter green color,
but if I change the text color of the guestbook, it also
changes the color of the text outside the guestbook to the same color,
which is annoying as heck.

thanks

#1 We will BUMP anything we want to. #2 If you dont like the way this guestbook is then by all means please go out and find another one and take your whining and bitching elsewhere.

bubazoo wrote:will you guys QUIT with the bumps already!

thats just annoying. so does advanced guestbook 2.3.1 (latest) have the "hacked by blabla" fix? because my Advanced Guestbook 2.2 did..

also a suggestion for future versions...
make the text color for the background different
then the textcolor used inside the guestbook.

some of us use a background OTHER THEN WHITE ya know
otherwise I like the default colors, I just don't like the
white background color, hurts my eyes terribly.
so I changed it to 1E3C00, which is a hunter green color,
but if I change the text color of the guestbook, it also
changes the color of the text outside the guestbook to the same color,
which is annoying as heck.

thanks

1 - We *bump* to keep the important threads near the top of the forums as there is no moderator to make them sticky.

2 - The exploit only existed in 2.2 and 2.3. 2.3.1 was released to fix it.

3 - The guestbook is fully customisable. If something cannot be changed via the styles section of the admin it can be changed by editing the templtes.

*BUMP*

Carbonize now replace my install.php with your file and can't enter in administration mode, realy enter but when I put a function (Easy Admin, config, etc.) the system asq my name and my password again :'(

Carbonize wrote:I'd say that yes they are now vulnerable. I uploaded the 2.2 sessions.class.php file to my 2.3.1 installation while testing this fix and I was vulnerable to it. Best fix for the login loop appars to be www.carbonize.co.uk/install.zip I just need to weed out the syntax bugs in it.

Carbonize explained this on page 2. Here it is in another post:

Admin Loop:
http://proxy2.de/forum/viewtopic.php?p=11334&highlight=#11334

I have a fix for the exploit to

upgrade to 2.3.1

holy crap, it works