Guestbook Script Security Update

(April 25, 2006)

We have discovered a bug in Guestbook Script that, under certain circumstances, allows a third party to inject code. A potential attacker would be able to spy out local files on the server or to inject malicious code that is located on a third party server. Affected are all versions including 1.7. Following would be required for a successful attack:

Spy out of local files

- PHP INI setting register_globals = On
- PHP 4 or higher

Injection of code from another server

- PHP INI setting register_globals = On
- PHP 5 or higher

We strongly recommend the update to the current version 1.9. Please note: We have skipped version 1.8 for internal reasons.

In order to update your existing installation of version 1.7 you only need to replace the file /inc/common.inc.php with the new one.

Older versions of the script need first to be updated to the current version 1.7.