Guestbook Script Security Update
We have discovered a bug in Guestbook Script that, under certain circumstances, allows a third party to inject code. A potential attacker would be able to spy out local files on the server or to inject malicious code that is located on a third party server. Affected are all versions including 1.7. Following would be required for a successful attack:
Spy out of local files
- PHP INI setting register_globals = On
- PHP 4 or higher
Injection of code from another server
- PHP INI setting register_globals = On
- PHP 5 or higher
We strongly recommend the update to the current version 1.9. Please note: We have skipped version 1.8 for internal reasons.
In order to update your existing installation of version 1.7 you only need to replace the file /inc/common.inc.php with the new one.
Older versions of the script need first to be updated to the current version 1.7.