By dom on November 8, 2004 8:39 PM | | Comments (0)

the stupid guestbook has been more trouble than it's worth. first it kept getting spammed, so i had to fix that. now someone's taken advantage of a security hole that allows admin access to everyone and effed up the page. i'm lucky they didn't delete all the guestbook entries. but now i've fixed that, too. though i must say, it was rather clever...

basically, anyone can hack in to version 2.2 of the guestbook by leaving the username blank and typing this line as the password:

') OR ('a' = 'a

it's called an SQL injection exploit. and then whoever did it edited the latest guestbook post by inserting the following HTML (offending text has been censored):

<div id="post" style="position: absolute; top: 0; left: 0; width: 1024; height: 2000; z-index: 1; overflow: auto"> <table border="0" width="100%" bgcolor="#000000" height="100%" cellspacing="5" cellpadding="5" valign="top"><tr><td width="100%" valign="top">
&nbsp;&nbsp;&nbsp;&nbsp;blah blah blah blah blah blah</font></td></tr></table></div>

Categories:

Leave a comment

Search

About this Entry

This page contains a single entry by dom published on November 8, 2004 8:39 PM.

was the previous entry in this blog.

is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Powered by Movable Type 4.01