Jump to content

Problem with guestbook


Reo

Recommended Posts

The guestbook is at:

http://moonrock.000webhostapp.com/battersea/gbook/guestbook.php?i=6

 

When a post is done I receive an e-mail with the opportunity to delete the message entered in guestbook. 

When I click that particular link an error occurs saying:

Fatal error: Uncaught Error: Call to undefined function ereg_replace() in /storage/ssd4/157/1580157/public_html/battersea/gbook/guestbook.php:39 Stack trace: #0 {main} thrown in /storage/ssd4/157/1580157/public_html/battersea/gbook/guestbook.php on line 39

 

The guestbook is downloaded at:

http://www.inverudio.com/guestbook/

Link to comment
Share on other sites

The guestbook application has a full-blown code injection vulnerability in the gbcontentfile.php script:

 

post-167590-0-78695000-1496351283.jpg

 

 

 

 

So what you need to do is get rid of the application and scan the server for signs of attacks. Even better: Nuke the server from orbit and start fresh, this time without the guestbook. If you want the entries back, scrape them from the gbcontentfile.php script, manually check them and then put them into a database where they belong.

 

I cannot stress this enough: Do not use dubious PHP scripts from random websites. You have no idea what the intentions of the authors are, you have no idea if they're competent. Actually, those code-for-free websites are usually crap. The fact that they want write access to your server is deeply worrying and something you should not accept.

 

I'm sure you wouldn't download random executables from the Internet and run them on your PC. So don't download random PHP scripts and run them on your server. This is just as bad, if not worse.

 

If you need a feature and cannot or don't want to implement it yourself, then use a professional solution which is actively maintained on a platform like GitHub, preferrably by more than one person. Update it regularly. Don't just type "guestbook" into Google, download the first result and then let it rot.

post-167590-0-78695000-1496351283_thumb.jpg

Link to comment
Share on other sites

Here is another one, if it is dubious or not I cant tell.

http://ricargbook.adrielmedia.com/download.php

 

I got stuck at: Point your browser to http://yoursite.com/ricargbook/install.php. Where ricargbook is the directory where you uploaded the script.The error is:

Parse error: syntax error, unexpected end of file in /storage/ssd4/157/1580157/public_html/battersea/ricargbook/install.php on line 246

Link to comment
Share on other sites

You might want to consider actually learning how to write a guestbook properly instead of just grabbing stuff off the net. We are not going to continually debug and search for vulnerabilities in random third party scripts. If you just grab a script, assume it is vulnerable and insecure because it probably is.

 

Did you happen to notice the 2007 script date? That is your first clue you should not be using it.

Link to comment
Share on other sites

if it is dubious or not I cant tell.

 

How about listening and applying common sense? I've already explained what you need to look out for. Even if you missed that entirely, I'm sure you're old enough to think for yourself. For example, what does it tell you that the software hasn't been updated since 2007? Do you think that's a sign of quality? Or could that be a problem?

 

Here's your personal checklist:

  • Is the code hosted on a private homepage rather than a proper platform like GitHub? bad
  • Has the project not been updated for a long time? bad
  • Is there only one person working on the project? bad

The thing is that guestbooks are somewhat old-fashioned and not very interesting for competent programmers, so if you know anything about PHP, probably the easiest way is to just write it yourself.

 

Or use a more modern form of user interaction like comments (see Disqus, for example).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.