SQL Injection exploit Advanced Guest Book v2.2

[kokoman]

The AGB 2.2 appears vulnerable to SQL Injection granting the attacker administrator access.

The attack is very simple and consists of inputting the string detailed below, leaving the username entry blank:

') OR ('a' = 'a

I develop a fix to this issue (other alternative is upgrade to a newest version of AGB), just add the next lines to the file 'admin.php' into the guestbook dir.

starting from line 9

--- lines to add are below this line ---

$verifica = stristr($password," OR ");
if ($verifica <> FALSE) die ("A volar pancho!");

--- end

regards
Martin

 

[haze]

Best to send this to [email protected] m8, maybe even bugzilla.

 

[dlorch]

@kokoman

This won't fix the SQL injection issue, not even the login problen. Try

') or ('a' = 'a

(lowercase "or") and you see what I mean. Here's a patch which fixes the problem by properly escaping the values before passing them on to the SQL query. It also changes the version from 2.2 to 2.2-pl1 (which means "patch level 1").

diff -ur guestbook-dist/lib/session.class.php guestbook/lib/session.class.php
--- guestbook-dist/lib/session.class.php        Thu Sep  9 10:50:57 2004
+++ guestbook/lib/session.class.php     Thu Sep  9 11:02:27 2004
@@ -55,7 +55,10 @@
     }
 
     function checkPass($username,$password) {
-        $this->query("SELECT ID FROM ".$this->table['auth']." WHERE username='$username' and password=PASSWORD('$password')");
+        $this->query(sprintf("SELECT ID FROM %s WHERE username='%s' and password=PASSWORD('%s')",
+          $this->table['auth'],
+          mysql_escape_string($username),
+          mysql_escape_string($password)));
         $this->fetch_array($this->result);
         return ($this->record) ? $this->record["ID"] : false;
     }
diff -ur guestbook-dist/templates/footer.php guestbook/templates/footer.php
--- guestbook-dist/templates/footer.php Sun Nov  4 00:33:08 2001
+++ guestbook/templates/footer.php      Thu Sep  9 11:02:56 2004
@@ -1,4 +1,4 @@
-<center><font face="Arial, Helvetica, sans-serif" color="#CCCCCC" size="1"><b>Advanced Guestbook 2.2<br>
+<center><font face="Arial, Helvetica, sans-serif" color="#CCCCCC" size="1"><b>Advanced Guestbook 2.2-pl1<br>
   Powered by PHP &amp; MySQL - <a href="http://www.proxy2.de" target="_blank"><font color="#CCCCCC">http://http://www.proxy2.de</font></a></b></font></center>
 </body>
 </html>

 

[kokoman]

Yes, you right.. I forgot to post the final version of the code...

--- old version
$verifica = stristr($password," OR ");
if ($verifica <> FALSE) die ("A volar pancho!");

--- new version
if (stristr(strtolower($password), " or ") <> false die ("your own gentle message");

best regards

 

[dlorch]

@kokoman

No offense, but you don't seem to understand the problem. The big issue about this security hole is that you are able to inject any kind of SQL, such as DROP TABLE, DROP DATABASE, DELETE. It's not the administration panel of AGB that worries me most. You can only solve this issue by properly escaping the values entered by the user, as suggested by the patch I provided in the previous posting.

 

[kokoman]

@kokoman

No offense, but you don't seem to understand the problem. The big issue about this security hole is that you are able to inject any kind of SQL, such as DROP TABLE, DROP DATABASE, DELETE. It's not the administration panel of AGB that worries me most. You can only solve this issue by properly escaping the values entered by the user, as suggested by the patch I provided in the previous posting.

Don´t worry I´m not offended... we are here just to interchange our knows about knowns problems.. right?

paid attention to the function 'strtolower', that function converts any string to lower case. e.g. 'strtolower("Or") = "or"; strtolower("oR")="or"; strtolower("OR")="or"' as you see, in any case the string will be "or" (in lower case).

Don´t forget something about the possibility to inject a DROP or DELETE statement by means of the login screen of AGB, that won´t work into a SELECT.

 

[cPanelBilly]

That is correct, we recommend all users use the update Advanced Guest Book option in cPanel to update to this version.
This updated version of Advanced Guest Book has been available for awhile now inside of cpanel.

 

[kokoman]

That is correct, we recommend all users use the update Advanced Guest Book option in cPanel to update to this version.
This updated version of Advanced Guest Book has been available for awhile now inside of cpanel.

Well, I never say that I suggest the opposed. But that´s not incorrect... newbie!

 

[dlorch]

@kokoman

try this:

') || ('a' = 'a

 

[laura]

My AGB is ver 2.2 !
How to upgrade from Cpanel menu?
My Cpanel menu cannot found my Advanced Guestbook, so how to upgrade easily?

 

[elleryjh]

cPanel is still installing 2.2! Where can I upgrade to a newer version?


WHM 9.9.7 cPanel 9.9.8-R5

 

[nickn]

It's 2.3.1 on MOST of our servers.

 

[elleryjh]

so there's no way to update? Just hope that it updates itself one day?

What is this--Microsoft?!

 

[dlorch]

Just use the patch!

 

[elleryjh]

Where can I find that patch and where can I apply it so that future installations are the newest version?

 

[ThunderHostingDotCom]

Billy: The function in WHM is great but it is ONLY good for new installs of the guestbook! How do we go about upgrading current versions already installed?

UPDATE: Since I posted this earlier today I found out that the cPanel install is installing version 2.2 & NOT the newest version! Yes we have the install & update feature checked in WHM. I am going to submit a ticket now. Anyone else have this issue?

That is correct, we recommend all users use the update Advanced Guest Book option in cPanel to update to this version.
This updated version of Advanced Guest Book has been available for awhile now inside of cpanel.

 

[BubbaGum]

I was having the same issue with upgrades being behind the current.

I finally had to uninstall it today as 60 or so folks on ourservices have been compromised with the paypal phishing attack thru the script (uploads php mailer into the templates directory).

 

[ThunderHostingDotCom]

It seems the issue I was having was due to xController not pointing to the correct install of AGB. I have brought this to Kosmo's attention & they said they will be updating it soon. Until then I had to manually upgrade AGB to version 2.3.1.