My Guestbook Was Hacked Again

[LeeGoldsmith]

Hi Everyone

 

This is the second time my guestbook (advanced GB) has been hacked. I had a current backup of the sql database and restored it and the guestbook is fine now. But what I need to know is how can I stop this from happening on a regular basis. Any ideas are welcome and thanks in advance.

 

Lee

[Head Guru]

What guestbook and version are you using?

[LeeGoldsmith]

Bill

 

It is Advanced Guestbook 2.3.1

 

And I had this problem about 3 or 4 months ago and needed to upgrade, and I did.

 

Lee

[Head Guru]

I dont want to publish the hack for 2.3.1 but its very easy to do so.

 

This version of Advanced Guestbook has been compromised as well.

 

I sent you the link on the hack via your PM.

 

My only suggestion is to look for another Guestbook with less compromises.

[LeeGoldsmith]

Thanks Bill

 

Got any GB to look at.

 

Thanks again.

 

Lee

[TCH-Thomas]

I would recommend VIPER Guestbook.

I´m not sure if Adv. guestbook can ban people, but Viper can which seems to be needed in your case.

[TCH-Don]

And with Viper you can moderate the entries

and add your own fields.

[LeeGoldsmith]

Question for Don

 

I think I will use Viper Guestbook. My question is this, in the install instructions it says to enter MySQL datas in the install form, what is this data??

 

Thanks for the help. I am not the most upto date person on SQL data bases.

 

Lee

[TCH-Thomas]

Movie tutorial on how to set up a database.

 

Then I believe its this info that Viper guestbook wants you to enter:

Databasename: yourcpanel_databasename

Username: yourcpanel_databasename

Password: your chosen password

[LeeGoldsmith]

Thanks Thomas

 

Lee

[TCH-Thomas]

No problem.

 

A tiny correction (for the record) though, as yourcpanel I ment "your cpanel username".

[abinidi]

And to clarify (I just learned this! Wow! I get to share!!) the "databasename" that Thomas talked about is a database that you specifically create for this application, following the instructions given in the tutorial link he added to this thread.

 

Don't just type in "databasename" because it won't work. You have to create a database first and then replace "databasename" with the name of the database you created.

Edited May 5, 2005 by abinidi

[carbonize]

Now if people would actually visit the official forums of the scripts they have problems with they would find that there is a patch to the Advanced Guestbook 2.2 login exploit. The exploit only exists in 2.3.1 where a user has updated from 2.2 and kept the sessions.class.php file from 2.2 to fix a login loop which I have since fixed. Did you lose any entries when they "hacked" your guestbook? I use the term hacked lightly as they are just kiddies that found an exploit published on the net that was so simple they could actually use it.

[borfast]

Ah, but you see, forums are not the appropriate place to inform people about your software's vulnerabilities. If there's something serious to report, it should be in a page dedicated to it. Perhaps a news page, or advisories page? Maybe even a low volume mailing list people can subscribe to? I don't see any of this on Advanced Guestbook's site, so perhaps you should consider implementing them instead of expecting people to visit the forums to gain knowledge about the latest security flaws of your software

[carbonize]

The vulnerability was reported over two years ago when Advanced Guestbook 2.3.1 was released. The exploit exists in 2.2 and 2.3 hence 2.3.1 was released.