https://proxy2.de/forum/posts/list/3.php JForum - http://www.jforum.net
[color="red"][b]THIS FIX HAS BEEN TESTED AND WORKS[/b][/color]

Open your [b]lib/session.class.php[/b] and locate [code]if (get_magic_quotes_gpc()) {
$username = stripslashes($username);
$password = stripslashes($password);[/code]

and replace it with [code]if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);[/code]

Cheers :D

[b]UPDATE:[/b] You can now download a prepatched copy of the sessions.class.php file from www.carbonize.co.uk/AG]]> https://proxy2.de/forum/posts/preList/3650/10613.php https://proxy2.de/forum/posts/preList/3650/10613.php GMT https://proxy2.de/forum/posts/preList/3650/10658.php https://proxy2.de/forum/posts/preList/3650/10658.php GMT https://proxy2.de/forum/posts/preList/3650/10660.php https://proxy2.de/forum/posts/preList/3650/10660.php GMT https://proxy2.de/forum/posts/preList/3650/10661.php https://proxy2.de/forum/posts/preList/3650/10661.php GMT https://proxy2.de/forum/posts/preList/3650/10662.php https://proxy2.de/forum/posts/preList/3650/10662.php GMT
So, unless you ask me for access, I will go ahead. Just follow the instructions in your earlier post in this thread?

I was just thinking... (that could prove hazardous :lol You are saying fixing the exploit has to do with the lib/session.class.php file. In the post noted below, some users with the admin loop after upgrading, reverted back to the old lib/session.class.php file. Does this mean they are now vulnerable to the exploit?

http://proxy2.de/forum/viewtopic.php?t=1711&postdays=0&postorder=asc&start=15]]> https://proxy2.de/forum/posts/preList/3650/10663.php https://proxy2.de/forum/posts/preList/3650/10663.php GMT https://proxy2.de/forum/posts/preList/3650/10664.php https://proxy2.de/forum/posts/preList/3650/10664.php GMT https://proxy2.de/forum/posts/preList/3650/10665.php https://proxy2.de/forum/posts/preList/3650/10665.php GMT https://proxy2.de/forum/posts/preList/3650/10666.php https://proxy2.de/forum/posts/preList/3650/10666.php GMT
Invalid username or password. Please try again.

]]> https://proxy2.de/forum/posts/preList/3650/10667.php https://proxy2.de/forum/posts/preList/3650/10667.php GMT

As I said above it should work fine but I don't think it will work if the password contains quotes or certain other characters. But then who makes a password with quotes in it ?]]> https://proxy2.de/forum/posts/preList/3650/10668.php https://proxy2.de/forum/posts/preList/3650/10668.php GMT https://proxy2.de/forum/posts/preList/3650/10669.php https://proxy2.de/forum/posts/preList/3650/10669.php GMT https://proxy2.de/forum/posts/preList/3650/10688.php https://proxy2.de/forum/posts/preList/3650/10688.php GMT
Or I may do it now if I stil have the email with the 2.2 file in it.]]> https://proxy2.de/forum/posts/preList/3650/10689.php https://proxy2.de/forum/posts/preList/3650/10689.php GMT
Too bad most of the people who did this logged in as guests with no email or web page reference. It appears they aren't interested in keeping up to date on the issues - only returning to the forum if they encounter a major disaster, and then not bothering to search for answers before posting. I'm sure they'll be back when they get hacked.

It would be good if we could get some stickies, like JTD mentioned in another post.]]> https://proxy2.de/forum/posts/preList/3650/10690.php https://proxy2.de/forum/posts/preList/3650/10690.php GMT
Just checked my install file and it is indeed from TIMESTAMP to INT
[code]$sqlquery[]= "ALTER TABLE $GB_TBL[auth] ADD last_visit_tmp int(11) NOT NULL";

$sqlquery[]= "UPDATE $GB_TBL[auth] SET last_visit_tmp=UNIX_TIMESTAMP(last_visit)";

$sqlquery[]= "ALTER TABLE $GB_TBL[auth] DROP last_visit";

$sqlquery[]= "ALTER TABLE $GB_TBL[auth] CHANGE last_visit_tmp last_visit INT(11) NOT NULL";[/code]]]> https://proxy2.de/forum/posts/preList/3650/10691.php https://proxy2.de/forum/posts/preList/3650/10691.php GMT https://proxy2.de/forum/posts/preList/3650/10693.php https://proxy2.de/forum/posts/preList/3650/10693.php GMT https://proxy2.de/forum/posts/preList/3650/10720.php https://proxy2.de/forum/posts/preList/3650/10720.php GMT
Well some of us have done alot of work to are guestbooks. And dont care to see them ruined.]]> https://proxy2.de/forum/posts/preList/3650/10746.php https://proxy2.de/forum/posts/preList/3650/10746.php GMT https://proxy2.de/forum/posts/preList/3650/10824.php https://proxy2.de/forum/posts/preList/3650/10824.php GMT [quote="Carbonize"]Ok after reading some old old threads ( from 2002 ) I decided to grab a copy of the 2.2 session.class.php file ( thanks JTD ). Anyway I think I have a quick fix for 2.2. users but need it to be tested.

[color="red"][b]THIS FIX HAS BEEN TESTED AND WORKS[/b][/color]

Open your [b]lib/session.class.php[/b] and locate [code]if (get_magic_quotes_gpc()) {
$username = stripslashes($username);
$password = stripslashes($password);[/code]

and replace it with [code]if (!get_magic_quotes_gpc()) {
$username = addslashes($username);
$password = addslashes($password);[/code]

Cheers :D[/quote]]]> https://proxy2.de/forum/posts/preList/3650/11542.php https://proxy2.de/forum/posts/preList/3650/11542.php GMT https://proxy2.de/forum/posts/preList/3650/11543.php https://proxy2.de/forum/posts/preList/3650/11543.php GMT [quote="Carbonize"]In your guestbook folder. In the guestbook folder should be a folder called lib and in that a file called sessions.class.php. That is unless your host supplied the script in which case god knows how much they have mangled it.[/quote]]]> https://proxy2.de/forum/posts/preList/3650/11544.php https://proxy2.de/forum/posts/preList/3650/11544.php GMT
thats just annoying. so does advanced guestbook 2.3.1 (latest) have the "hacked by blabla" fix? because my Advanced Guestbook 2.2 did..

also a suggestion for future versions...
make the text color for the background different
then the textcolor used inside the guestbook.

some of us use a background OTHER THEN WHITE ya know
otherwise I like the default colors, I just don't like the
white background color, hurts my eyes terribly.
so I changed it to 1E3C00, which is a hunter green color,
but if I change the text color of the guestbook, it also
changes the color of the text outside the guestbook to the same color,
which is annoying as heck.

thanks]]> https://proxy2.de/forum/posts/preList/3650/11559.php https://proxy2.de/forum/posts/preList/3650/11559.php GMT
thats just annoying. so does advanced guestbook 2.3.1 (latest) have the "hacked by blabla" fix? because my Advanced Guestbook 2.2 did..

also a suggestion for future versions...
make the text color for the background different
then the textcolor used inside the guestbook.

some of us use a background OTHER THEN WHITE ya know
otherwise I like the default colors, I just don't like the
white background color, hurts my eyes terribly.
so I changed it to 1E3C00, which is a hunter green color,
but if I change the text color of the guestbook, it also
changes the color of the text outside the guestbook to the same color,
which is annoying as heck.

thanks[/quote]

#1 We will [size="24"][b]BUMP[/b][/size] anything we want to. #2 If you dont like the way this guestbook is then by all means please go out and find another one and take your whining and bitching elsewhere.]]> https://proxy2.de/forum/posts/preList/3650/11561.php https://proxy2.de/forum/posts/preList/3650/11561.php GMT
thats just annoying. so does advanced guestbook 2.3.1 (latest) have the "hacked by blabla" fix? because my Advanced Guestbook 2.2 did..

also a suggestion for future versions...
make the text color for the background different
then the textcolor used inside the guestbook.

some of us use a background OTHER THEN WHITE ya know
otherwise I like the default colors, I just don't like the
white background color, hurts my eyes terribly.
so I changed it to 1E3C00, which is a hunter green color,
but if I change the text color of the guestbook, it also
changes the color of the text outside the guestbook to the same color,
which is annoying as heck.

thanks[/quote]

1 - We *bump* to keep the important threads near the top of the forums as there is no moderator to make them sticky.

2 - The exploit only existed in 2.2 and 2.3. 2.3.1 was released to fix it.

3 - The guestbook is fully customisable. If something cannot be changed via the styles section of the admin it can be changed by editing the templtes.]]> https://proxy2.de/forum/posts/preList/3650/11562.php https://proxy2.de/forum/posts/preList/3650/11562.php GMT ]]> https://proxy2.de/forum/posts/preList/3650/11563.php https://proxy2.de/forum/posts/preList/3650/11563.php GMT
[quote="Carbonize"]I'd say that yes they are now vulnerable. I uploaded the 2.2 sessions.class.php file to my 2.3.1 installation while testing this fix and I was vulnerable to it. Best fix for the login loop appars to be www.carbonize.co.uk/install.zip I just need to weed out the syntax bugs in it.[/quote]]]> https://proxy2.de/forum/posts/preList/3650/12023.php https://proxy2.de/forum/posts/preList/3650/12023.php GMT
Admin Loop:
http://proxy2.de/forum/viewtopic.php?p=11334&highlight=#11334]]> https://proxy2.de/forum/posts/preList/3650/12025.php https://proxy2.de/forum/posts/preList/3650/12025.php GMT

upgrade to 2.3.1

holy crap, it works]]> https://proxy2.de/forum/posts/preList/3650/12601.php https://proxy2.de/forum/posts/preList/3650/12601.php GMT

upgrade to 2.3.1

holy crap, it works[/quote]
it also creates an admin login loop unless you change the field type of one of the SQL fields. For most people there is no need to updat as 2.2 has all the features they want.]]> https://proxy2.de/forum/posts/preList/3650/12602.php https://proxy2.de/forum/posts/preList/3650/12602.php GMT ]]> https://proxy2.de/forum/posts/preList/3650/12876.php https://proxy2.de/forum/posts/preList/3650/12876.php GMT Thanks.]]> https://proxy2.de/forum/posts/preList/3650/13938.php https://proxy2.de/forum/posts/preList/3650/13938.php GMT https://proxy2.de/forum/posts/preList/3650/13941.php https://proxy2.de/forum/posts/preList/3650/13941.php GMT https://proxy2.de/forum/posts/preList/3650/14501.php https://proxy2.de/forum/posts/preList/3650/14501.php GMT

upgrade to 2.3.1

holy crap, it works[/quote]
it also creates an admin login loop unless you change the field type of one of the SQL fields. For most people there is no need to updat as 2.2 has all the features they want.[/quote]

Just wanted to know if this is still the recommended action? ie: am using 2.2 and have applied the fixes recommended in the sticky posts so is staying with this version still okay?]]> https://proxy2.de/forum/posts/preList/3650/14505.php https://proxy2.de/forum/posts/preList/3650/14505.php GMT https://proxy2.de/forum/posts/preList/3650/14506.php https://proxy2.de/forum/posts/preList/3650/14506.php GMT