Anyone Can View Your Guests' Email Addy's?

[peaceonearth]

Script URL: N/A
Version of script: 1.7
Hosting company: Host Gator
URL of phpinfo.php:
URL of session_test.php:
What terms did you try when SEARCHING for a solution: Many

Write your message below:

I hope this is not a flaw, but if it is .. I hope we can get it resolved. After running some tests, I see that Entropy Search (from CGI in CPanel) will list the domain/guestbook/datalife.txt in it's search results. Meaning - everyone and anyone in the world can simply visit http://www.domain.com/guestbook/datalife.txt and view the entire file. Is this fixable?

Thanks

[Klemen]

You should name your "entires.txt" to "SomeSpecialNameNoOneCanGuess.txt".

By giving the entires file a unique and hard to guess name (like "8Wi-t_0gE68_OZ_al7m-U.txt") youc an rest assured no one will be able to find the name and type it in the browser to view the data inside.

Your entropy search is probably indexing files/folders locally and so it can access any file on the server, but a good search script should give you a way to exclude files from being indexed (just make sure you don't put the hidden name to the robots.txt file as anyone can view that).

[peaceonearth]

Hi there,
Well I don't see an 'entries' file but I do have that datalife.txt file. I tried to change the name but then the guestbook went blank, like all the entries were erased. I changed it back to datalife.txt and it's back to normal. Am I doing something wrong here?

Thanks in advance

[Henrie]

You did that right.
But you also need to change in the file settings.php the entry

Code: Select all

/* Name of the file where guestbook entries will be stored */
$settings['logfile']='datalife.txt';

Where datalife.txt should be changed to the new name of the file.

Greetings,
Henrie