We have discovered a bug in Guestbook Script that allows under certain circumstances the injection of third party code. A potential attacker would be able to spy out local files on the server or to inject malicious code that is located on a third party server. Affected are all versions including 1.7. Following would be required for a successful attack:
Spy out of local files
- PHP INI setting register_globals = On
- PHP
4 or higher
Injection of code from another server
- PHP INI setting register_globals = On
- PHP
5 or higher
We strongly recommend the update to the current version 1.9. Please note: We have skipped version 1.8 for internal reasons.
Download
Guestbook Script 1.9
In order to update your existing installation of version 1.7 you only need to replace the file
/inc/common.inc.php with the new one.
Older versions of the script need first to be updated to the current version 1.7.
STADTAUS.com Support Team