AV Arcade BugFix - XSS Exploit | Abeon Tech

This blog is NOFOLLOW Free!

06 Jan 2009 @ 1:43 PM

AV Arcade BugFix – XSS Exploit

Thanks to dan20071 for letting me know about this

The Problem:

EDITED::…
This was originally reported as link spam, but could easily be a lot worse.

When registering, the user name field is open to possible attack.
Code will be processed on the members page.
The code can be overflown to the homepage fairly easily.
XSS can be used.

I would now consider this as a serious exploit.
I would suggest fixing this bug A.S.A.P

The Fix:

Backup then open yoursite.com/register.php
Find:
60
$info2 = htmlspecialchars($info);

Add below:

61	$username = htmlspecialchars($username);

Backup then open yoursite.com/admin/manage_users.php
Find:

33	while($row = mysql_fetch_array($sql)){<tr>

Add below:

34	$username = htmlspecialchars($username);

Save and upload all files.
Search your members list for any user names shown as code and delete (You could also I.P. ban them).

This function could easily be expanded for further validation.

Tags

Tags: Anti Spam, BugFix
Categories: AV Arcade Posted By: Abe
Last Edit: 08 Jan 2009 @ 06 13 PM

E-mail • Permalink

Responses to this post » (One Total)

Abe said...
1:40 pm - February 11th, 2009
This bug has been fixed in AV Arcades’ v4.0.2 update.

Comment Meta:
RSS Feed for comments
TrackBack URI

Leave A Comment ...

You must be logged in to post a comment.

XHTML:
You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">

$\/$ More Options ...

AV Arcade (5)
Gaming (2)
Random (3)
Security (7)
SEO (2)
Web Design (8)

Register an account

Change Theme...

[Logged Out]
Login

Role »
Posts »
Comments »

Change Theme...

Void (Default)
Life
Earth
Wind
Water
Fire
Lightweight