Please Spam My Dolphin Site

Dear Spammers,

.

Please spam my Dolphin 6.1.4 site.

.

Seriously folks, you may as well put the above text in a great big yellow banner at the top of your site, if you have a standard issue guestbook.php file residing on your site.  I was unaware of this huge doorway for spammers until this blog post by selo12: http://www.boonex.com/unity/blog/entry/Am_I_hacked_User_id_0_what_who_is_this_please_take_a_look

.

.

For a spambot to add entries to any guest book on your site, all that spambot has to do is access this url:

.

YourDolphinSite.com/guestbook.php?owner=1&action=show_add   

.

.

By changing 'owner=1' to any other user id, the spambot can freely add entries to that owners guestbook, regardless of the guestbook settings you have applied in admin.  If you have the standard issue guestbook.php on your site, and you have more than a few members on your site, odds are that some of your member's guest books are loaded with spam.  Nice.

.

I did search the forums, and this has been mentioned in the past, but I felt it was certainly worth mentioning again.  I did see a fix posted, but for many, the damage has probably already been done.  There should have been a security patch released as soon as this spammer's dream come true was first discovered.  The download package should have been immediately updated, and Boonex should have posted a security alert.  Well, none of that happened as far as I can tell, and I hope that sort of thing never happens with D7.  When any type of vulnerability is discovered, a series of steps should immediately be taken to correct that vulnerability as soon as possible.  Security patches, of any degree, should be the number one priority.... for any script developer.

.

My solution was to just remove 'guestbook' from the navigation menu and I deleted guestbook.php from my server.  I have no use for a guestbook that is open to spammers.  For those of you that have hundreds or thousands of members, and were unaware of this guestbook spamming vulnerability, I don't envy you because you probably have a lot of cleanup work to do.

.

Want to just read guest books?
.
.
Just access this url:
.
.
AnyDolphinSite.com/guestbook.php?owner=1
.

.
Just change the owner number to view any guest book you want to.  I bet it won't take log to find spam posts.

Lol nice thex for the info

there's  an easy fix to this

open guestbook.php

about line 26-30

// Authentification no required here. Just check if somebody logged in.

if ( !( $logged['admin'] = member_auth( 1, false ) ) )
if ( !( $logged['member'] = member_auth( 0, false ) ) )
if ( !( $logged['aff'] = member_auth( 2, false )) )
$logged['moderator'] = member_auth( 3, false );

--------------------------------------------------------------------

// Authentification no required here. Just check if somebody logged in.

if ( !( $logged['admin'] = member_auth( 1, false ) ) )
if ( !( $logged['member'] = member_auth( 0, true ) ) )
if ( !( $logged['aff'] = member_auth( 2, true )) )
$logged['moderator'] = member_auth( 3, false );

--------------------------------------------------------

that should do the trick

go back to your site make sure  you are loged out and try it again

YourDolphinSite.com/guestbook.php?owner=1&action=show_add

AnyDolphinSite.com/guestbook.php?owner=1

Yeah.....I've seen other fixes.   I think my deleting guestbook.php is a pretty slick fix though..... no editing required :)

Almost as fast. Still requires a click though.

EDIT: Hmmm. Whats the point of the emotes if the laughing smilie is replaced with the word laughing when you save.

yeah the fix was easy enough. however, i tend to believe what houstonlively says, this was discovered some time ago,nearly a year ago i think, and nothing has been done. the download script should have been updated, so that all new downloads would not be facing that same situation.

i dont see why we would need blogs, forums, and guestbook, a guestbook is a thing of the past, back before we had the slew of a**es on the internet, that have nothing better to do with their time, than to try to screw up somebody's work. if any of you recall php-nuke, man i had the hardest time with that script, was always and forever getting torn off by some russian ass group. i finally gave up, they werent really hurting anything except for the index page, and most of the time, they werent hurting that, they would just use a php shell script, and load up an index.html which of course with most CMS's the index.php would serve secondly.

oh well live and learn, learn and live.

thanks houston for bringing this up once again.

Regards,

DosDawg

The damage is done.  Just look at all the hits this google search returns:

.

.

http://www.google.com/search?hl=en&q=%22guestbook.php%3Fowner%3D%22+%2Bviagra

.

.

... and that's only one spam word.  

They got me so bad with spamming my guest book it shut down my site!!!!

Take Hostuns advice, do something to prevent this from happening to you

i JUST STARTED MY NEW SITE 2 WEEKS AGO AND ALREADY HAD A 135 POSTINGS IN MY OWN GUEST BOOK.Your right this should have been takin care of a long time ago.THANKS FOR THE PATCH...Disstudem

Delete guestbook.php. It is absolutely useless and is not accessible from the site itself. It is a well-known loophole though, which is easily exploited by spam bots.

I've removed the guestbook.php file from my server.

How do I now delete the spam entries, and remove the link in the navigation menu to that page?

Thanks,

Bill

I deleted them all fairly quickly through the data base. Be carefull if you are not used to playing in there and backing it up before might be a good idea.

Ans of coures backing it up right after as well just in case you do need use your back you dont want to use the spammed verison

Thanks  for tip off.