Upgrading from DigiOz Guestbook Version 1.7.2 to 1.7.3

Hello All,

Below is how you can upgrade your DigiOz Guestbook Version 1.7.2 to the newly release version 1.7.3. This release is a security patch that we recommend users apply to their guestbooks as soon as possible.

Steps:

• Step 1 - Copy the following files from the new zip file found HERE into your current guestbook, replacing the old one:
  • add.php
  • sanitize.php
  • search.php
• Step 2 - Open the file "config.php". Find this line:
  Code:

  <?php
  Replace it with this:
  Code:

  <?php // Version of this Guestbook --------------------------------------------------------- $gb_version = "1.7.3";
• Step 3 - Open the file "footer.php". Find this line:
  Code:

  [url=http://www.digioz.com]<FONT class=training face=verdana, arial size=-2>DigiOz Guestbook Version 1.7.2<br>&copy; 2007 DigiOz Multimedia. </FONT>[/url]
  Replace it with this:
  Code:

  [url=http://www.digioz.com]<FONT class=training face=verdana, arial size=-2>Powered by DigiOz Guestbook<br>&copy; 2007-2012 DigiOz Multimedia. </FONT>[/url]
• Step 4 - Open the file "add.php". Find this code:
  Code:

  if (!isset($error)) {
  Replace it with this:
  Code:

  if (!isset($error)) { include("sanitize.php");
  Fine this line:
  Code:

  $message_log_string = $message_time_log." | ".$message_ip_log." | ".$message_ip_address_log." | ".$yourname." | ".$yourmessage."\n";
  Replace with the following:
  Code:

  $message_log_string = $message_time_log." | ".$message_ip_log." | ".$message_ip_address_log." | ".sanitize_html_string($yourname)." | ".sanitize_html_string($yourmessage)."\n";
  Find this line:
  Code:

  $message_log_string = $message_time_log." | ".$message_ip_log." | ".$message_ip_address_log." | ".$yourname."\n";
  Replace it with this:
  Code:

  $message_log_string = $message_time_log." | ".$message_ip_log." | ".$message_ip_address_log." | ".sanitize_html_string($yourname)."\n";
• Step 5 - Open the file "search.php". Find this code block:
  Code:

  $search = $_POST['search_term']; // get user search information $pageNum = $_GET['page']; // generated only on multi-page results and selected by user
  Replace it with the following:
  Code:

  $search = sanitize_html_string($_POST['search_term']); $pageNum = sanitize_int($_GET['page'],0,9000); if ($search == "") { $search = sanitize_html_string($_GET['search_term']); }

That's it! You are now upgraded to Version 1.7.3.

Thanks,
Pete

I updated the guestbook software and checked Pete's sanitizing steps of August 16 2012. However, the special characters double quote (") and line break (\n) in the messages are now explicitly listed as &#34; and <br>. When I comment out the assignments $yourmessage = str_replace(..) in the function "clean_message()" the problem is gone. Is it possible that the sanitation is done once too often? Or am I now vulnerable to code injection, after I commented out the cleanup of $yourmessage?

Sorry, my mistake, ignore previous message. Sanitation was indeed performed once too often, but that was my own doing. At the same time I noticed that single quote ($rep1[3]) is not replaced by &#39; in function "clean_message". Is that OK?

Yes, because it is replaced in a different function in the code. You're fine.

Thanks,
Pete

Hi,

Is there a way to edit the messages?

Jan

Not with the current version, but its in the works for the next version.