Jump to content

Advisory: Advanced Guestbook Vulnerability


Recommended Posts

Advanced Guestbook v2.2, the version available in cPanel, has a vulnerability that allows anyone to gain admin access to your guestbook. Since admin access also allows the ability to modify all of the php templates the guestbook uses, I strongly recommend upgrading or removing Advanced Guestbook from your account.

 

If you have it installed, but are not using it, simply delete the directory you installed it in and delete the MySQL database.

 

If you are using it, you can get the new version from http://proxy2.de/scripts.php. However, the permissions on the author's download when extracted will not allow the web server to read the files, so I have repackaged it and attached it to this post.

 

To upgrade:

(Notes: This will overwite any template changes you have done. Also, I can't guarantee these instructions will work for all users. Proceed with caution.)

  • Go to your cPanel backup screen and select to download your guestbook database (this is a backup, just to be safe).
  • In your current guestbook directory, open the file admin/config.inc.php. Write down or copy the database settings (you will need them later). The lines you need look like:
    >$GB_DB["dbName"] = "account_agbook1";
    $GB_DB["host"]   = "localhost";
    $GB_DB["user"]   = "account_agbook1";
    $GB_DB["pass"]   = "4fSurhKJzW";


  • Upload the attached file (tch-gbookphp.tar.gz) to your guestbook directory.
  • Using cPanel File Manager, extract the contents of tch-gbookphp.tar.gz.
  • In cPanel File Manager, edit the file admin/config.inc.php and change the Database Settings to what you copied from your old config (the 4 lines you copied down above) and save.
  • Go to phpmyadmin in cPanel. Select Databases. Select the appropriate database (should match the dbName above). Click on the SQL tab. Copy and paste the following SQL query into the query window and select Go. You should get a response back that says "Your SQL-query has been executed successfully".
    >CREATE TABLE book_pics ( 
      msg_id int(11) NOT NULL default '0', 
      book_id int(11) NOT NULL default '0', 
      p_filename varchar(100) NOT NULL default '', 
      p_size int(11) unsigned NOT NULL default '0', 
      width int(11) unsigned NOT NULL default '0', 
      height int(11) unsigned NOT NULL default '0', 
      KEY msg_id (msg_id), 
      KEY book_id (book_id) 
    ) TYPE=MyISAM; 
    
    ALTER TABLE `book_config` ADD `thumbnail` SMALLINT(1) NOT NULL, ADD `thumb_min_fsize` INT(10) NOT NULL;
    
    ALTER TABLE `book_auth` CHANGE `LAST_VISIT` `last_visit` int(11) NOT NULL DEFAULT '0'; 
    ALTER TABLE `book_data` DROP `image`; 
    ALTER TABLE `book_private` DROP `image`; 
    
    ALTER TABLE `book_smilies` CHANGE `width` `width` smallint(6) unsigned NOT NULL default '0'; 
    ALTER TABLE `book_smilies` CHANGE `height` `height` smallint(6) unsigned NOT NULL default '0'; 
    
    ALTER TABLE `book_ip` ADD KEY guest_ip (guest_ip);


At that point, your guestbook should be working on the new version. You will need to reapply any template changes you had done before. If you have any trouble, feel free to post here.

tch_gbookphp.tar.gz

Edited by TCH-MikeJ
Link to post
Share on other sites

Wow! Is that what happened to Boxturt? That's one heckuva security gap!

 

Thank you SO MUCH for the clear instructions - it worked perfectly! Or at least I'm assuming it's secure now. :) I was sweatin' it as I'm an SQL dunce and have never even used File Manager in Cpanel before, but I had no problem understanding your directions or finding where I needed to go.

 

You are amazing!!

 

OK, spoke too soon. I can't get into my guestbook admin. I click on Admin, enter my username and password, it takes me to the admin page, but when I click on anything it takes me back out to the username and password screen again. Any suggestions?

Link to post
Share on other sites

Found some more tables needed to be altered... I have corrected the original message, but if you only did the query I orginally had up there, then go back into phpmyadmin and run the following query the same way you did the original:

>ALTER TABLE `book_auth` CHANGE `LAST_VISIT` `last_visit` int(11) NOT NULL DEFAULT '0'; 
ALTER TABLE `book_data` DROP `image`; 
ALTER TABLE `book_private` DROP `image`; 

ALTER TABLE `book_smilies` CHANGE `width` `width` smallint(6) unsigned NOT NULL default '0'; 
ALTER TABLE `book_smilies` CHANGE `height` `height` smallint(6) unsigned NOT NULL default '0'; 

ALTER TABLE `book_ip` ADD KEY guest_ip (guest_ip);

 

You should be set then.

Link to post
Share on other sites

Im so lost in all this but will give it a try. :dance: I am using version 2.3.1 but as far as i can understand i am gonna need to do all those updates anyway? :)

 

Is there any guestbook you Mike or anyone would recommend for us to use instead or if we are not using one for the moment but planning on using one? :)

Link to post
Share on other sites

Thanks MikeJ - I'll have to try this when I wake up - about 10 cups of coffee from now :)

 

Yea bellringr - I'm guessing that's probably what did happen :dance: I was able to fix it but it was pretty messed up.

Link to post
Share on other sites
I am using version 2.3.1 but as far as i can understand i am gonna need to do all those updates anyway? :dance:

Only v2.2 has the vulnerability. If you are already running v2.3.1 you don't need to do anything. :)

 

I don't use guestbooks, so I'm not sure what else is out there.

Link to post
Share on other sites

Rats. :lol: Everything was fine until I tried to access the guestbook and got "You can't access this file directly..." as a message.

 

Tried to access admin.php -

Fatal error: Class gb_session: Cannot inherit from undefined class gbook_sql in /home/lyricsp/public_html/guestbook/lib/session.class.php on line 10
And in trying to get install.php
Fatal error: Cannot instantiate non-existent class: gbook_sql in /home/lyricsp/public_html/guestbook/install.php on line 9

 

This is where I stop before I really break something. I thought for sure it was ok when I got the "Your SQL-query has been executed successfully" message.

Edited by boxturt
Link to post
Share on other sites

Since I am using a forum and a guestbook I simply created a topic in the forum instead and redirected the guestbook traffic to the forum....

 

Guestbook was a pain anyway, too many German developers wanting backlinks to their sites.

 

Thanks for the info!

 

mr. Bill :Nerd:

Link to post
Share on other sites
This is where I stop before I really break something. I thought for sure it was ok when I got the "Your SQL-query has been executed successfully" message.

Have you had any luck figuring out where it went wrong? If you are still having trouble, feel free to open a ticket, and ask them to forward it to me.

Link to post
Share on other sites

Nope. Couldn't figure it out. I may try this weekend though.

 

I ended up reinstalling the previous version for now. Thanks for your offer, I really appreciate it. :)

Link to post
Share on other sites
  • 1 month later...

I tried the update but seem to be having a problem. The guestbook will allow me to sign into the guest book admin area, but when I do it still shows version 2.2 and will not let me use any of the admin options. When you click on them, it takes you back to the login.

Link to post
Share on other sites
Found some more tables needed to be altered... I have corrected the original message, but if you only did the query I orginally had up there, then go back into phpmyadmin and run the following query the same way you did the original:

>ALTER TABLE `book_auth` CHANGE `LAST_VISIT` `last_visit` int(11) NOT NULL DEFAULT '0'; 
ALTER TABLE `book_data` DROP `image`; 
ALTER TABLE `book_private` DROP `image`; 

ALTER TABLE `book_smilies` CHANGE `width` `width` smallint(6) unsigned NOT NULL default '0'; 
ALTER TABLE `book_smilies` CHANGE `height` `height` smallint(6) unsigned NOT NULL default '0'; 

ALTER TABLE `book_ip` ADD KEY guest_ip (guest_ip);

 

You should be set then.

Did you do these follow up changes MikeJ posted? I was having the same problem as you but when I did this, I was fine.

Link to post
Share on other sites

I'll start with the simple questions first since you mentioned it still says version 2.2.

 

Are you certain you extracted the tch_gbookphp.tar.gz inside your guestbook directory, and it did so without any errors?

Link to post
Share on other sites

I completly deleted the entire gallery, reinstalled it from cpanel, and followed your instructions to the letter.

 

Here is the error that I am getting now.

 

Parse error: parse error, unexpected ';' in /home/ndycnua/public_html/guestbook/admin/config.inc.php on line 69
Link to post
Share on other sites

I'm getting the same message as well when I try to access my guestbook! I've figured a way out to be able to access your guestbook:

 

- open the file config.inc.php which resides in the guestbook/admin directory

- go to line 69 there's the text

>&&

- change this to

>&&

- you have to do this at a second location in this file as well

- save the file

 

If it's allright you can get access to your guesbook now. :)

Link to post
Share on other sites

I had to submit a ticket to the help desk. They said that they found some corrupted files. They were able to get the updated version installed for me, but they were not able to import the guestbook entrys from the proir version.

Link to post
Share on other sites

my "solution" above is not quite THE solution yet. e.g. if I enter the administration area I get the following messages:

>Warning: Cannot modify header information - headers already sent by (output started at /home/olzhpqib/public_html/guestbook/admin/config.inc.php:84) in /home/olzhpqib/public_html/guestbook/lib/admin.class.php on line 33

Warning: Cannot modify header information - headers already sent by (output started at /home/olzhpqib/public_html/guestbook/admin/config.inc.php:84) in /home/olzhpqib/public_html/guestbook/lib/admin.class.php on line 34

Warning: Cannot modify header information - headers already sent by (output started at /home/olzhpqib/public_html/guestbook/admin/config.inc.php:84) in /home/olzhpqib/public_html/guestbook/lib/admin.class.php on line 35

Warning: Cannot modify header information - headers already sent by (output started at /home/olzhpqib/public_html/guestbook/admin/config.inc.php:84) in /home/olzhpqib/public_html/guestbook/lib/admin.class.php on line 36

 

However, I don't need to import "old" guestbook entries, therefore I just would like to know how I can install the updated version.

Link to post
Share on other sites
  • 2 weeks later...
The only guestbooks that will show up as "upgradable" are ones that were installed via cPanel before. Did you perhaps install yours manually?

Did it via control panel. Also noted my forum doesn't show up in the upgrade list for phpbb, either.... also installed via control panel.

 

Someone had a ball with my guestbook... put an obscenity in the boilerplate text for the automated mail sent out when someone posts. <_<

Link to post
Share on other sites
cPanel now has 2.3.1 version of the Advanced Guestbook available, so you should use that to install or upgrade your existing installation.

Did it, works like a charm :o

BTW: didn't need to upgrade from a previous version...

Link to post
Share on other sites
  • 2 weeks later...

Hi,

 

My guestbook was hacked, and I was advised to upgrade to 2.3.1 in cpanel. I did so, but obviously the database wasn't updated (the php was).

 

After some manipulation (let me know if I should explain) I managed to upgrade the database via cpanel, so that it now has 10 tables. All the php pages seem to be version 2.3.1 as well.

 

The problem is that I cannot sign in in the admin area ("Invalid username or password. Please try again.") with the new password that I set in the database (nor with the old one).

 

my book_auth table looks like this:

 

>ID    smallint(5)     	 No
username 	 varchar(60)   	 No
password 	 varchar(60)   	 No
session 	 varchar(32)   	 No
last_visit 	 int(11)   	 No 	 0    

 

Any clues about what might be wrong?

 

The guestbook is here: http://www.askerturn.no/gjestebok/ (sorry that it's in Norwegian...)

Link to post
Share on other sites

:unsure: Welcome to the Family ;)

 

and your new home!

 

 

In cpanels MySQL

You should be able to set a user and password

and then add the user to the database (agbook)

and then be able to sign in.

You can use the old user name too, but add

 

if not open a help ticket (link at top of page).

 

 

We really are like family here.

So if you need anything,

just ask your new family!

We love to help :)

Link to post
Share on other sites

Thanks for your reply!

 

The guestbook itself works without problems, so the password that I set to connect to the database is OK. It is the password that is stored inside the database, to log onto the admin page, that doesn't work. Any other ideas?

Link to post
Share on other sites

I had the same problem once, and I added a new user / password in MySql,

then added that user to the guestbook database and I was able to log into the admin page.

 

if that is what you did and it is still not working

then open a help ticket to see if the techs can help

Link to post
Share on other sites

Thanks.

 

I found the error. The admin that was transferred from the old DB did not have a PASSWORD encrypted password.

 

If other people have this problem just keep in mind, when helping them that they need to run the password they manually add to the DB through the PASSWORD encryption.

Link to post
Share on other sites

Hi all...thanks for a great thread..just recently I had my guest book hijacked. I'm ready to try to upgrade but I have one question. If I upgrade, will I lose my guest book entries? If so, how can I retrieve them before upgrading the guest book.

 

If this helps I'm using advanced guest book php/sql

 

any help or guidance you can provide would be appreciated.

 

thanks

steve.

Link to post
Share on other sites

In cpanel > backup

you can click on the name of the database for your guestbook

probably agbook to download a backup

This is also where you can later upload the backup if needed.

 

Then cpanel > cgi scripts

click on advanced guest book

at the bottom there is a place to upgrade your guestbook,

just select it and that it.

Link to post
Share on other sites

In cpanel it may be called cgi center

then a link to advanced guestbook

this is where you can install a fresh guestbook,

(just fill in the subfolder name and follow the prompts)

and at the bottom left there is a place to ugrade an existing guest book if it was installed by cpanel(a drop down menu to select which guestbook)

Other wise you can follow Mikes instructions at the top of this thread to upgrade.

Edited by TCH-Don
Link to post
Share on other sites
  • 1 month later...

Great it worked, except, I cannot seem to log in to the administrator account to change the settings. I get this error:

 

Connection Error

--------------------------------------------------------------------------------

 

MySQL Error : Connection Error

Error Number: 1045 Access denied for user: 'william2_agbook1@63.247.72.187' (Using password: YES)

Date : Thu, August 26, 2004 14:59:49

IP : 24.1.222.28

Browser : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

Referer : http://www.williamhenley.com

PHP Version : 4.3.8

OS : Linux

Server : Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.19 OpenSSL/0.9.6b

Server Name : www.williamhenley.com

Link to post
Share on other sites
  • 2 weeks later...

Dropping sticky as this version of guestbook hasn't been available in cPanel for at least 3 months. If you still have this version (2.2) that you installed via cPanel, you should upgrading using cPanel installer instead of this method.

 

Gravis, did you manage to get your guestbook working?

Link to post
Share on other sites
  • 1 month later...

I checked their forum and it looks like this may happen if any templates from an earlier version is still installed. Might be best to delete this installation and start again.

However as I said earlier, there might be someone who knows a better answer. :(

Link to post
Share on other sites

Oops, in the case of being hacked,

you may want to delete all files in the guestbook folder after you backup the db.

It's possible a hacker may have modified or left a file there.

Edited by TCH-Don
Link to post
Share on other sites
be sure to backup your db in cpanel > download a db.

then after you reinstall

you can go back to cpanel>backup and upload the db.

Just make sure you backup the DB of the same version of Guestbook. The DB structure changed some between versions.

Link to post
Share on other sites

Thanks.... for the welcome. Actually, when I reinstalled I had forgotten to do the part that was at the beginning of the thread. I am still having problems that I am working on though...

 

When I go into general settings in adminstration I get an error when submitting settings to save. If I continue to get different errors that I can't fix I will just forget about trying to keep my prior post and just reinstall the program with a new database.

 

MySQL Error : Query Error

Error Number: 1054 Unknown column 'thumbnail' in 'field list'

Date : Thu, October 21, 2004 20:09:23

IP : 68.11.174.42

Browser : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)

Referer : http://spanishtownmardigras.com/guestbook/...fc23c54dd&uid=1

PHP Version : 4.3.8

OS : FreeBSD

Server : Apache/1.3.31 (Unix) mod_log_bytes/0.3 FrontPage/5.0.2.2635 PHP/4.3.8 mod_ssl/2.8.19 OpenSSL/0.9.7d

Server Name : spanishtownmardigras.com

 

Deborah

 

 

ADDED.... another error when posting message. :)

Warning: unlink(index.html): Permission denied in /home/spanisht/public_html/guestbook/lib/add.class.php on line 80

 

Warning: unlink(img-1044078270.jpg): Permission denied in /home/spanisht/public_html/guestbook/lib/add.class.php on line 80

 

Warning: unlink(img-1044726928.jpg): Permission denied in /home/spanisht/public_html/guestbook/lib/add.class.php on line 80

 

Warning: unlink(img-1046789810.jpg): Permission denied in /home/spanisht/public_html/guestbook/lib/add.class.php on line 80

 

Warning: unlink(img-1062665276.gif): Permission denied in /home/spanisht/public_html/guestbook/lib/add.class.php on line 80

Guestbook

Thank you for signing the guestbook.

 

Your entry was added successfully! You should be transfered back to the guestbook in 2 seconds.

 

I THINK (pretty sure)this one has something to do with photos not showing up there.

Link to post
Share on other sites

You might want to create a new guestbook

 

I think you can edit the old db backup to insert into new db using phpmyadmin

 

I think if you extract from the back up db

the part

--

-- Dumping data for table `book_data`

--

down to the end of that section

and save it as a text file

to insert with phpmyadmin

 

With a new second guestbook you have nothing to lose.

I seem to remember doing this a while back.

Link to post
Share on other sites

Hi Deborah

I can't be of any help with the db problem but I noticed, in the earlier post of errors, the reference to SpanishTown Mardi Gras. I also live in BR and haven't missed a Spanish Town parade in a long time. :D

The Southdowns parade passes within 2 blocks of my house so I never miss it.

 

Welcome to the forum and TCH

Link to post
Share on other sites

Nice to meet you curtis... this is the third season that I have been the webmaster for Spanishtownmardigas.com :D I love it... nothing better or more outlandish than Spanish Town! LOL I hope to see you there this year. Do you go to the Ball?

 

Thanks again,

 

Deborah

Link to post
Share on other sites

;) Congrats Deborah ;)

 

Now be sure to go into cpanel > backup

and click on the link to download the database backup.

I do this regularly.

Then if need be I can install from scratch with the same database name

and upload the database. And back in business :)

 

Don't be a stranger now that you have it working ;)

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...