Bugtraq mailing list archives

Re: Kent's Guestbook database exploit

From: security curmudgeon <jericho () attrition org>
Date: Sat, 6 Aug 2005 00:28:44 -0400 (EDT)


: hello ,
: 
: site :  http://kentldyer.com/guestbook/default.asp

The site runs a guestbook but.. follow:

http://kentldyer.com/
'guestbook' on upper right bar
http://kentldyer.com/guestbook/   (open directory)
http://kentldyer.com/guestbook/readme.txt

Guestbook by Kathi O'Shea
http://www.attitude.com/users/kathi/asp (ASP Tutorial Site)
http://www.web-savant.com (business site)
kathi () attitude com (support & comments)
info () web-savant com (design and customization)

Guestbook Instructions

IMPORTANT!! This guestbook will only work on an ASP-enabled site,
and you must have script permissions on the directory where the
ASP scripts are located. This script will not work on GeoCities,
AOL, or most (if not all) of the free homepage sites. If you're
not sure if your site is ASP-enabled, contact your system administrator.

1. Files contained in this distribution

README.TXT (this file)
Guestbook.mdb
sign.asp
administration.asp
default.asp

[..]

That open directory has Guestbook.mdb *and* Guestbook1.mdb for some 
reason. Either way, this doesn't look like "Kent's Guestbook" as a 
product/vendor, rather probably Kathi O'Shea Guestbook.

Current thread:

Re: Kent's Guestbook database exploit security curmudgeon (Aug 09)