Abeon Tech

Thanks to dan20071 for letting me know about this

The Problem:

EDITED::…
This was originally reported as link spam, but could easily be a lot worse.

When registering, the user name field is open to possible attack.
Code will be processed on the members page.
The code can be overflown to the homepage fairly easily.
XSS can be used.

I would now consider this as a serious exploit.
I would suggest fixing this bug A.S.A.P

The Fix:

1. Backup then open yoursite.com/register.php
2. Find:

   60	$info2 = htmlspecialchars($info);

3. Add below:

   61	$username = htmlspecialchars($username);

4. Backup then open yoursite.com/admin/manage_users.php
5. Find:

6. 33	while($row = mysql_fetch_array($sql)){<tr>

7. Add below:

8. 34	$username = htmlspecialchars($username);

9. Save and upload all files.
10. Search your members list for any user names shown as code and delete (You could also I.P. ban them).

This function could easily be expanded for further validation.

Your Ad Here

---




• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

1. Abe says:

   February 11, 2009 at 1:40 pm

   This bug has been fixed in AV Arcades’ v4.0.2 update.
2. buzzlnks says:

   August 23, 2009 at 8:25 am

   im glad it was fixed, but its too late now that i stopped using the script due to some major bugs, im not sure if i should start again, btw, when will you be releasing the update of your mods and template for the new version of the script?
3. Abe says:

   August 26, 2009 at 9:16 pm

   I will update my mods and make a few free skins when version 5 of AV Arcade is released.

   I think it will be soon as Andy has added a v5 section to the forum.