URGENT - PHP: Advanced Guestbook 2.2

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • AndrewT
    Administrator
    • Mar 2004
    • 3653

    URGENT - PHP: Advanced Guestbook 2.2

    This script currently has a security issue that will allow users to download and execute data on to your account. Just today this has been used on a handful of accounts to place fraudulent PayPal websites and send mass amounts of e-mails to advertise them in an attempt to gain legitimate user information.

    The latest version of this script is version 2.3.1, however I was unable to find any information as to whether or not it is even fixed in that version. Thus far it looks like the issue is being exploited via the POST method on /templates/url.php

    I highly recommend removing this script immediatley, if we find that it has been exploited on one of your domains, that domain will be suspended.
  • thinkliberty
    Junior Member
    • Dec 2004
    • 10

    #2
    I am currently writting an apache module that watches the httpd logs in realtime and locks down a domain when a pre-defined script exploit is used on a website . It's kind of like an antivirus program for apache. (I can't believe this has not already been done.)

    But here is a very basic script (it got me thinking after I wrote it to make an apache module) that will email the POST portion of the http log...

    I use linux for my home PC and run it there... I don't know if this will work as a cron job at dathorn or not I have not tried it.. I guess you could use it via cygwin on windows...

    Code:
    #!/bin/sh
      #getlog
      #
      #Cpanel  log file grabber for cron that emails POST
      #information to two email addresses
      #
      #Place this file in ~/httplogs
      #you are free to use, modify and distribute this script.
      
     
      #Cpanel username and password
    USERNAME=<username>
    PASSWORD=<pasword>
    
     #Define two email addresses in case one fails
    ONEEMAIL='<email address1>'
    TWOEMAIL='<email address2>' 
    
      #Your Domain name
      #example.com
    DOMAINONE=<domain name.tld>
     
      #file location DO NOT PLACE IN A PUBLIC DIRECTORY IE www or public_html
    LOCATION=~/httplogs
     
      #Get the date and time to make a unique filename
    DATE=`date +%m_%d_%Y`
    FILENAME=$DATE.txt
     
    mkdir $LOCATION
    cd $LOCATION
    mkdir old
     
     # This will keep your log files around and not clean up after itself... 
    mv log* old
    
     # If you want to clean up use:
    # rf -f log* 
     
     #Get the log file
    curl --basic --user $USERNAME:$PASSWORD --get http://$DOMAINONE:2082/getaccesslog/accesslog_$DOMAINONE'_'$DATE.gz |gunzip > log$FILENAME
     
    grep POST log$FILENAME > logaccess.txt
    cat logaccess.txt |mail -s accesslogs $ONEEMAIL
    cat logaccess.txt |mail -s accesslogs $TWOEMAIL

    Comment

    • markh
      Junior Member
      • Nov 2004
      • 4

      #3
      Migration assistance

      Hello,

      If a user wished to migrate to another guestbook, can anyone provide assistance in migrating the guestbook data for us? We have about 3-4 clients using Guestbook 2.3.1 and would like to get away from them anyway. Any help would of course be compensated. Any recommendation of a secure GB would also be appreciated.

      Also, in the meantime we've removed the /templates/url.php file and the guestbook still functions OK, so we're taking it out of all books.

      Thank you

      Nadine
      Fast Track Pro Web Services

      Comment

      • sdjl
        Senior Member
        • Mar 2004
        • 502

        #4
        Does this guestbook use MySQL to store data?
        If so, and the one you want to use also does, you could just compare how the tables are setup to store data. Then write a small script to extract data from one table and put it in the other table.

        David
        -----
        Do you fear the obsolescence of the metanarrative apparatus of legitimation?

        Comment

        • markh
          Junior Member
          • Nov 2004
          • 4

          #5
          Hello sdjl,

          Yes, this book does use MySQL. I'm just not familiar with writing scripts.

          Thanks for responding.

          Nadine

          Comment

          Working...