Results 1 to 5 of 5

Thread: URGENT - PHP: Advanced Guestbook 2.2

  1. #1
    Administrator AndrewT's Avatar
    Join Date
    Mar 2004
    Location
    Tulsa, OK
    Posts
    3,634

    Default URGENT - PHP: Advanced Guestbook 2.2

    This script currently has a security issue that will allow users to download and execute data on to your account. Just today this has been used on a handful of accounts to place fraudulent PayPal websites and send mass amounts of e-mails to advertise them in an attempt to gain legitimate user information.

    The latest version of this script is version 2.3.1, however I was unable to find any information as to whether or not it is even fixed in that version. Thus far it looks like the issue is being exploited via the POST method on /templates/url.php

    I highly recommend removing this script immediatley, if we find that it has been exploited on one of your domains, that domain will be suspended.

  2. #2
    Junior Member
    Join Date
    Dec 2004
    Posts
    10

    Default

    I am currently writting an apache module that watches the httpd logs in realtime and locks down a domain when a pre-defined script exploit is used on a website . It's kind of like an antivirus program for apache. (I can't believe this has not already been done.)

    But here is a very basic script (it got me thinking after I wrote it to make an apache module) that will email the POST portion of the http log...

    I use linux for my home PC and run it there... I don't know if this will work as a cron job at dathorn or not I have not tried it.. I guess you could use it via cygwin on windows...

    Code:
    #!/bin/sh
      #getlog
      #
      #Cpanel  log file grabber for cron that emails POST
      #information to two email addresses
      #
      #Place this file in ~/httplogs
      #you are free to use, modify and distribute this script.
      
     
      #Cpanel username and password
    USERNAME=<username>
    PASSWORD=<pasword>
    
     #Define two email addresses in case one fails
    ONEEMAIL='<email address1>'
    TWOEMAIL='<email address2>' 
    
      #Your Domain name
      #example.com
    DOMAINONE=<domain name.tld>
     
      #file location DO NOT PLACE IN A PUBLIC DIRECTORY IE www or public_html
    LOCATION=~/httplogs
     
      #Get the date and time to make a unique filename
    DATE=`date +%m_%d_%Y`
    FILENAME=$DATE.txt
     
    mkdir $LOCATION
    cd $LOCATION
    mkdir old
     
     # This will keep your log files around and not clean up after itself... 
    mv log* old
    
     # If you want to clean up use:
    # rf -f log* 
     
     #Get the log file
    curl --basic --user $USERNAME:$PASSWORD --get http://$DOMAINONE:2082/getaccesslog/accesslog_$DOMAINONE'_'$DATE.gz |gunzip > log$FILENAME
     
    grep POST log$FILENAME > logaccess.txt
    cat logaccess.txt |mail -s accesslogs $ONEEMAIL
    cat logaccess.txt |mail -s accesslogs $TWOEMAIL

  3. #3
    Junior Member
    Join Date
    Nov 2004
    Posts
    4

    Default Migration assistance

    Hello,

    If a user wished to migrate to another guestbook, can anyone provide assistance in migrating the guestbook data for us? We have about 3-4 clients using Guestbook 2.3.1 and would like to get away from them anyway. Any help would of course be compensated. Any recommendation of a secure GB would also be appreciated.

    Also, in the meantime we've removed the /templates/url.php file and the guestbook still functions OK, so we're taking it out of all books.

    Thank you

    Nadine
    Fast Track Pro Web Services

  4. #4
    Senior Member sdjl's Avatar
    Join Date
    Mar 2004
    Location
    London, UK.
    Posts
    502

    Default

    Does this guestbook use MySQL to store data?
    If so, and the one you want to use also does, you could just compare how the tables are setup to store data. Then write a small script to extract data from one table and put it in the other table.

    David
    -----
    Do you fear the obsolescence of the metanarrative apparatus of legitimation?

  5. #5
    Junior Member
    Join Date
    Nov 2004
    Posts
    4

    Default

    Hello sdjl,

    Yes, this book does use MySQL. I'm just not familiar with writing scripts.

    Thanks for responding.

    Nadine

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •