someone hacked by php guestbook

[prafulla]

Hello Php Gurus,

 

I picked some free php script to create a flatfile based guestbook on my website. One day suddenly someone deleted all the 150+ posts from the guestbook.

 

I then did little bit of research to see - if my 'flatfile' was accessible and discovered that it was easy to guess the path and the file name of the flatfile storing enteries.

 

1. Its a silly question but I want to be absolutely sure that someone 'guessed' that file name and path and used some kind of script to delete the entries? Or there are other ways to do so? e.g. Automated Searches Over internet?

 

2. The 'flatfile' had a 'write' permission to public (on a Unix hosted website). If I do not give write permission, users will not be able to post comments but if I do provide 'write' access to public, people can hack, delete and write whatever they want. Is there a safe and secure way to handle this problem?

 

Many thanks in advance for your answers.

[laPistola]

yes, they can view the source see that your using a script they have hacked before from that make a guess of the file name, then writen a small script to delete it.

[corbin]

Or, multiple writes could have occurred at once which would have screwed the file up.

[DeanWhitehouse]

I would advise using a mysql database it can be much more secure, or store the guestbook details in php variables in a php page rather than a text file.

[prafulla]

Thanks everyone for comments. Few clarification:

 

1. Someone definitely hacked it as I could see some 'spam' website names in improper format in the flatfile. Every entry from website goes in a particular format. Hence, I am sure that they hacked it using some external script.

 

2. My main question is that even if use MySQL.. as long as I am giving public, rights to write anything in my scrapbook, how can I make it secure and stop hackers from directly accessing the database or the flatfile? ???

 

Thanks,

[Mchl]

They would need database password to connect directly to database (and you can hide it outside document root)

They could still try SQL injections or other attacks, but there are well documented countermeasures against those as well.

[kenrbnsn]

You haven't shown us your current code for writing to the guestbook file. Without that, we can only guess at what happened.

 

Ken

[prafulla]

Hi Ken - I used Ardguest guestbook (http://www.promosi-web.com/script/guestbook/)

 

and used default 'flatfile' name and location

[justinh]

people still use guestbooks?

[darkfreaks]

hey i tested using SQL inject me and XSS inject me with firefox nothign was found ???

 

however i am sure using .htacess to beef up security would help loads

 

http://www.askapache.com/htaccess/mod_security-htaccess-tricks.html

[prafulla]

Hey Justinh - even I dont like guestbooks.. is there any better way of collecting feedback/comments from users visiting website?

 

Novice & Silly

-Prafulla

[darkfreaks]

guestbooks can be secure  i have made very secure guestbooks , all applications have to have .htacess files to beef up security. otherwise anyone can just sniff out the application find holes. which yours does not have but still you can overide captcha it isnt hack proof

[ShiloVir]

Hey Justinh - even I dont like guestbooks.. is there any better way of collecting feedback/comments from users visiting website?

 

Novice & Silly

-Prafulla

 

a forum is great. Guestbooks take me back to the days of like Geocities and Free HTML hosting. personally a forum is much better than a guessbook. u can try PHPbb (A fav of mine, Easy to edit) or Simple Machine Forums.