If you are not registered or logged in, you may still use these forums but with limited features. Show recent topics
  [Search] Search   [Hottest Topics] Hottest Topics   [Members]  Member Listing   [FAQ]  FAQ 
[Register] Register / 
[Login] Login 
Guestbook 2.2 exploit fix  XML
Forum Index » Support Forum
Author Message
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

No the fix in the first post is the fix for the exploit. I was refering to the login loop problem. I think it is down to the entry type of the last_visit entry in the auth table of the database. It needs converting from TIMESTAMP to INT, or the other way round, can't remember right now.

Just checked my install file and it is indeed from TIMESTAMP to INT

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
Anonymous



Why don't you just protect the admin.php with an .htaccess file? It is the easiest fix. Anyone who cares enough to try to crack .htaccess can just have my guestbook for all I care.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

Because not all hosts allow you to use .htaccess files. Also it can be annoying having to login twice.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

trevorduke wrote:Why don't you just protect the admin.php with an .htaccess file? It is the easiest fix. Anyone who cares enough to try to crack .htaccess can just have my guestbook for all I care.


Well some of us have done alot of work to are guestbooks. And dont care to see them ruined.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Trevor
Student
[Avatar]

Joined: 17/06/2004 02:53:11
Messages: 67
Location: UK
Offline

Bumped cos this is important for anyone running Adv GB 2.2.
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
testar81
Beginner

Joined: 22/10/2004 10:02:31
Messages: 38
Offline

Maybe a stupid question but i cant fin lib/session.class.php, where do i find it?
Carbonize wrote:Ok after reading some old old threads ( from 2002 ) I decided to grab a copy of the 2.2 session.class.php file ( thanks JTD ). Anyway I think I have a quick fix for 2.2. users but need it to be tested.

THIS FIX HAS BEEN TESTED AND WORKS

Open your lib/session.class.php and locate

and replace it with

Cheers

Nordiva.
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

In your guestbook folder. In the guestbook folder should be a folder called lib and in that a file called sessions.class.php. That is unless your host supplied the script in which case god knows how much they have mangled it.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
testar81
Beginner

Joined: 22/10/2004 10:02:31
Messages: 38
Offline

I found it now, it was me that have forget that its called forum on my server and not guestbook. Thank for the help.
Carbonize wrote:In your guestbook folder. In the guestbook folder should be a folder called lib and in that a file called sessions.class.php. That is unless your host supplied the script in which case god knows how much they have mangled it.

Nordiva.
Anonymous



will you guys QUIT with the bumps already!

thats just annoying. so does advanced guestbook 2.3.1 (latest) have the "hacked by blabla" fix? because my Advanced Guestbook 2.2 did..

also a suggestion for future versions...
make the text color for the background different
then the textcolor used inside the guestbook.

some of us use a background OTHER THEN WHITE ya know
otherwise I like the default colors, I just don't like the
white background color, hurts my eyes terribly.
so I changed it to 1E3C00, which is a hunter green color,
but if I change the text color of the guestbook, it also
changes the color of the text outside the guestbook to the same color,
which is annoying as heck.

thanks
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

bubazoo wrote:will you guys QUIT with the bumps already!

thats just annoying. so does advanced guestbook 2.3.1 (latest) have the "hacked by blabla" fix? because my Advanced Guestbook 2.2 did..

also a suggestion for future versions...
make the text color for the background different
then the textcolor used inside the guestbook.

some of us use a background OTHER THEN WHITE ya know
otherwise I like the default colors, I just don't like the
white background color, hurts my eyes terribly.
so I changed it to 1E3C00, which is a hunter green color,
but if I change the text color of the guestbook, it also
changes the color of the text outside the guestbook to the same color,
which is annoying as heck.

thanks


#1 We will BUMP anything we want to. #2 If you dont like the way this guestbook is then by all means please go out and find another one and take your whining and bitching elsewhere.

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Carbonize
Master
[Avatar]

Joined: 12/06/2003 19:26:08
Messages: 4292
Location: Bristol, UK
Offline

bubazoo wrote:will you guys QUIT with the bumps already!

thats just annoying. so does advanced guestbook 2.3.1 (latest) have the "hacked by blabla" fix? because my Advanced Guestbook 2.2 did..

also a suggestion for future versions...
make the text color for the background different
then the textcolor used inside the guestbook.

some of us use a background OTHER THEN WHITE ya know
otherwise I like the default colors, I just don't like the
white background color, hurts my eyes terribly.
so I changed it to 1E3C00, which is a hunter green color,
but if I change the text color of the guestbook, it also
changes the color of the text outside the guestbook to the same color,
which is annoying as heck.

thanks


1 - We *bump* to keep the important threads near the top of the forums as there is no moderator to make them sticky.

2 - The exploit only existed in 2.2 and 2.3. 2.3.1 was released to fix it.

3 - The guestbook is fully customisable. If something cannot be changed via the styles section of the admin it can be changed by editing the templtes.

Carbonize
I am not the maker of the Advanced Guestbook

get Lazarus
[Email] [WWW] [Yahoo!] aim icon [MSN] [ICQ]
JTD
Graduate

Joined: 08/05/2004 21:52:50
Messages: 529
Location: Arkansas
Offline

*BUMP*

LINK-> Use Lazarus Guestbook
[WWW] [Yahoo!] aim icon [MSN]
Anonymous



Carbonize now replace my install.php with your file and can't enter in administration mode, realy enter but when I put a function (Easy Admin, config, etc.) the system asq my name and my password again :'(

Carbonize wrote:I'd say that yes they are now vulnerable. I uploaded the 2.2 sessions.class.php file to my 2.3.1 installation while testing this fix and I was vulnerable to it. Best fix for the login loop appars to be www.carbonize.co.uk/install.zip I just need to weed out the syntax bugs in it.
amber222
Graduate

Joined: 07/05/2004 21:13:07
Messages: 586
Offline

Carbonize explained this on page 2. Here it is in another post:

Admin Loop:
http://proxy2.de/forum/viewtopic.php?p=11334&highlight=#11334
Anonymous



I have a fix for the exploit to

upgrade to 2.3.1

holy crap, it works
 
Forum Index » Support Forum
Go to:   
Based on the open source JForum