SQL Injection exploit Advanced Guest Book v2.2

kokoman

Active Member
Nov 28, 2002
27
0
151
BA, Argentina
The AGB 2.2 appears vulnerable to SQL Injection granting the attacker administrator access.

The attack is very simple and consists of inputting the string detailed below, leaving the username entry blank:

') OR ('a' = 'a

I develop a fix to this issue (other alternative is upgrade to a newest version of AGB), just add the next lines to the file 'admin.php' into the guestbook dir.

starting from line 9

--- lines to add are below this line ---

$verifica = stristr($password," OR ");
if ($verifica <> FALSE) die ("A volar pancho!");

--- end

regards
Martin
 

dlorch

Member
May 12, 2004
9
0
151
@kokoman

This won't fix the SQL injection issue, not even the login problen. Try

') or ('a' = 'a

(lowercase "or") and you see what I mean. Here's a patch which fixes the problem by properly escaping the values before passing them on to the SQL query. It also changes the version from 2.2 to 2.2-pl1 (which means "patch level 1").

Code:
diff -ur guestbook-dist/lib/session.class.php guestbook/lib/session.class.php
--- guestbook-dist/lib/session.class.php        Thu Sep  9 10:50:57 2004
+++ guestbook/lib/session.class.php     Thu Sep  9 11:02:27 2004
@@ -55,7 +55,10 @@
     }
 
     function checkPass($username,$password) {
-        $this->query("SELECT ID FROM ".$this->table['auth']." WHERE username='$username' and password=PASSWORD('$password')");
+        $this->query(sprintf("SELECT ID FROM %s WHERE username='%s' and password=PASSWORD('%s')",
+          $this->table['auth'],
+          mysql_escape_string($username),
+          mysql_escape_string($password)));
         $this->fetch_array($this->result);
         return ($this->record) ? $this->record["ID"] : false;
     }
diff -ur guestbook-dist/templates/footer.php guestbook/templates/footer.php
--- guestbook-dist/templates/footer.php Sun Nov  4 00:33:08 2001
+++ guestbook/templates/footer.php      Thu Sep  9 11:02:56 2004
@@ -1,4 +1,4 @@
-<center><font face="Arial, Helvetica, sans-serif" color="#CCCCCC" size="1"><b>Advanced Guestbook 2.2<br>
+<center><font face="Arial, Helvetica, sans-serif" color="#CCCCCC" size="1"><b>Advanced Guestbook 2.2-pl1<br>
   Powered by PHP &amp; MySQL - <a href="http://www.proxy2.de" target="_blank"><font color="#CCCCCC">http://http://www.proxy2.de</font></a></b></font></center>
 </body>
 </html>
 

kokoman

Active Member
Nov 28, 2002
27
0
151
BA, Argentina
Yes, you right.. I forgot to post the final version of the code...

--- old version
$verifica = stristr($password," OR ");
if ($verifica <> FALSE) die ("A volar pancho!");

--- new version
if (stristr(strtolower($password), " or ") <> false die ("your own gentle ;) message");

best regards
 

dlorch

Member
May 12, 2004
9
0
151
@kokoman

No offense, but you don't seem to understand the problem. The big issue about this security hole is that you are able to inject any kind of SQL, such as DROP TABLE, DROP DATABASE, DELETE. It's not the administration panel of AGB that worries me most. You can only solve this issue by properly escaping the values entered by the user, as suggested by the patch I provided in the previous posting.
 

kokoman

Active Member
Nov 28, 2002
27
0
151
BA, Argentina
dlorch said:
@kokoman

No offense, but you don't seem to understand the problem. The big issue about this security hole is that you are able to inject any kind of SQL, such as DROP TABLE, DROP DATABASE, DELETE. It's not the administration panel of AGB that worries me most. You can only solve this issue by properly escaping the values entered by the user, as suggested by the patch I provided in the previous posting.

Don´t worry I´m not offended... we are here just to interchange our knows about knowns problems.. right?

paid attention to the function 'strtolower', that function converts any string to lower case. e.g. 'strtolower("Or") = "or"; strtolower("oR")="or"; strtolower("OR")="or"' as you see, in any case the string will be "or" (in lower case).

Don´t forget something about the possibility to inject a DROP or DELETE statement by means of the login screen of AGB, that won´t work into a SELECT.
 
C

cPanelBilly

Guest
That is correct, we recommend all users use the update Advanced Guest Book option in cPanel to update to this version.
This updated version of Advanced Guest Book has been available for awhile now inside of cpanel.
 

kokoman

Active Member
Nov 28, 2002
27
0
151
BA, Argentina
cPanelBilly said:
That is correct, we recommend all users use the update Advanced Guest Book option in cPanel to update to this version.
This updated version of Advanced Guest Book has been available for awhile now inside of cpanel.
Well, I never say that I suggest the opposed. But that´s not incorrect... newbie!
 

laura

Active Member
Sep 12, 2003
35
0
156
indonesia
My AGB is ver 2.2 !
How to upgrade from Cpanel menu?
My Cpanel menu cannot found my Advanced Guestbook, so how to upgrade easily?
 

elleryjh

Well-Known Member
Apr 12, 2003
479
0
166
cPanel is still installing 2.2! Where can I upgrade to a newer version?


WHM 9.9.7 cPanel 9.9.8-R5
 

elleryjh

Well-Known Member
Apr 12, 2003
479
0
166
so there's no way to update? Just hope that it updates itself one day?

What is this--Microsoft?! :)
 

elleryjh

Well-Known Member
Apr 12, 2003
479
0
166
Where can I find that patch and where can I apply it so that future installations are the newest version?
 

ThunderHostingDotCom

Well-Known Member
Nov 18, 2002
449
1
168
All over!
Billy: The function in WHM is great but it is ONLY good for new installs of the guestbook! How do we go about upgrading current versions already installed?

UPDATE: Since I posted this earlier today I found out that the cPanel install is installing version 2.2 & NOT the newest version! Yes we have the install & update feature checked in WHM. I am going to submit a ticket now. Anyone else have this issue?

cPanelBilly said:
That is correct, we recommend all users use the update Advanced Guest Book option in cPanel to update to this version.
This updated version of Advanced Guest Book has been available for awhile now inside of cpanel.
 
Last edited:

BubbaGum

Active Member
Nov 10, 2004
36
0
156
Western US
I was having the same issue with upgrades being behind the current.

I finally had to uninstall it today as 60 or so folks on ourservices have been compromised with the paypal phishing attack thru the script (uploads php mailer into the templates directory).
 

ThunderHostingDotCom

Well-Known Member
Nov 18, 2002
449
1
168
All over!
It seems the issue I was having was due to xController not pointing to the correct install of AGB. I have brought this to Kosmo's attention & they said they will be updating it soon. Until then I had to manually upgrade AGB to version 2.3.1.