Andreas
11-16-2004, 06:29 AM
Dear guestbook owner,
Yesterday all guestbooks were altered to reflect the look and style of one single guestbook. This was not done by a hacker, but was due to an error in the system that in certain cases has allowed a single user to overwrite all guestbooks (messages were not affected).
Just to clarify a security concern: Your emails or passwords were never hacked or revealed to anyone, but overwritten to reflect the email and password of one single user.
Automatic backups of the systems are created frequently (both locally and on a separate server), and the database has been restored. Accounts created in the past few hours have been erased. The same is true for messages created in the same timespan.
I realize that this is totally unacceptable for you all and I am doing my best to figure out how this could happen. Although I previously announced that I thought I had solved this problem, this is obviously not the case.
If there are any PHP/MySQL security-wizards out there I would more than appreciated your assistance. There are only a few places in the guestbook system where an error such as this one can take place, as suchs I am very surprised that I have not yet found it, but still confident that a solution is not far away.
Feel free to contact me if you have any further questions, comments or concerns.
Yesterday all guestbooks were altered to reflect the look and style of one single guestbook. This was not done by a hacker, but was due to an error in the system that in certain cases has allowed a single user to overwrite all guestbooks (messages were not affected).
Just to clarify a security concern: Your emails or passwords were never hacked or revealed to anyone, but overwritten to reflect the email and password of one single user.
Automatic backups of the systems are created frequently (both locally and on a separate server), and the database has been restored. Accounts created in the past few hours have been erased. The same is true for messages created in the same timespan.
I realize that this is totally unacceptable for you all and I am doing my best to figure out how this could happen. Although I previously announced that I thought I had solved this problem, this is obviously not the case.
If there are any PHP/MySQL security-wizards out there I would more than appreciated your assistance. There are only a few places in the guestbook system where an error such as this one can take place, as suchs I am very surprised that I have not yet found it, but still confident that a solution is not far away.
Feel free to contact me if you have any further questions, comments or concerns.