advanced guestbook vulnerability

its not a new vulnerability in "advanced guestbook"
but i am posting it here because still no patch is issued for fixing it.

as per bugtraq,
It has been reported that Advanced Guestbook is prone to a SQL injection vulnerability that could allow an attacker to gain administrative access to the application.

This issue is reported to exist in Advanced Guestbook 2.2, however, it is possible that other versions are affected as well.

The following proof of concept exploits have been provided:

JQ explains that it is possible to trigger this issue by leaving the username entry blank and entering the following string in the password field:

') OR ('a' = 'a

Spy Hat comments that it is also possible to leverage this issue by leaving the password field blank and entering the following string into the username field:

? or 1=1 --

For laymen:

in simple terms,
Advanced Guestbook v2.2 has an SQL injection problem which allows unauthorized access.
proof of concept can be found by googling for "intitle:guestbook "advanced guestbook 2.2 powered""

this google query shows results for websites with "Advanced Guestbook v2.2" installed an attacker can select any of the results, and use this sql injection to gain unauthorized access.

it is strongly recommended to change the name/location of www.example.com/guestbook/admin.php"
also, This vulnerability is reportedly fixed in version 2.3.1.
update your version immediately if you are still running the old version.

My First Post

Hi,

This is my first post on "Latest Exploits and Vulnerabilities"
I named this blog while keeping in mind the meaning of the words used.
I will try to update this blog with the latest exploits and vulnerabilities.

If you like the content of this blog, you can also visit my website located at:

http://hacking.isgreat.org

Thank you for visiting this blog.