[Mysticales]

Hrm.. I mean seems to work for me, I mean arcade works fine, normal users can buy arcade passes and then pay per play while subscribed users get it for free. I mean if you wanna see the work I do, http://forums.qj.net

[Acers]

well the donate is not the only problem btw
you can reproduce the same bug with all things that send pm. (gift, ribbon etc, where the user is typing a message)
the simplest method to fix this is clean the input as i had written in the other thread.
The only problem being that only the author or the admins would know of any other vulnerabilities apart from this one, thats why we can't claim that it is a fix.

[Mysticales]

The main issue basically is that it doesnt have certain text input checking... which I added on mine to avoid it. Yes the author has to be the one to look at it, however if not, we may just release the patch.

Basically I think the biggest thing is to not allow it to use any form of scripts or ascii that isnt standard.. that would solve alot right there.

[Acers]

thats what i said.. instead of strip tags just make that htmlentity and it will protect you from xss exploit. You have to do that at 5-6 places. (HERE)
the only issue being if someone can confirm thats the only issue .. lol

[AuroraStorm]

If that's the fix to it, can somebody post the zip? I have to reinstall it but I can't find it anywhere...

[Mysticales]

Originally Posted by AuroraStorm

If that's the fix to it, can somebody post the zip? I have to reinstall it but I can't find it anywhere...

Issue is.. some of us know and fixed by hand.. however, we dont wanna release anything since its up to the author to look and get back to us on things. Not that we patch with a unoffical thing and something else goes wrong. But the author IS alive, he PMed me recently about things. =)

[Hornstar]

Originally Posted by Mysticales

Issue is.. some of us know and fixed by hand.. however, we dont wanna release anything since its up to the author to look and get back to us on things. Not that we patch with a unoffical thing and something else goes wrong. But the author IS alive, he PMed me recently about things. =)

could you release an unofficial release tut or file on how to fix things that you are aware of.

That way we can use it at our own risk for the time being. also i'm sure if you release a fix, the admins at this site would be able to test if any of the exploits still existed in your fix.


as an example of a fix tut, all you would have to do is something like this.

file: file name
find this: dikgjdijdjf
change to this: jdgjdiogjd

template: xyz
find this:ikdgkdgd
change to this:digidg

That way we can make the changes our self if you cant release a file.

Thanks for anything you can offer, if not, its cool, and hopefully you will be able to keep us udpated with anything you hear.

Thanks.

[AuroraStorm]

Originally Posted by Mysticales

Issue is.. some of us know and fixed by hand.. however, we dont wanna release anything since its up to the author to look and get back to us on things. Not that we patch with a unoffical thing and something else goes wrong. But the author IS alive, he PMed me recently about things. =)

Thank you for your response...it's very appreciated...next to the Arcade, it's the most popular thing on my board. I'll just have to be patient and wait and hope the author comes back with it...

[Mysticales]

Ill give it another week before I release my notes. This way I know nothing else on my forum got messed up or is at risk.

[Hornstar]

Originally Posted by Mysticales

Ill give it another week before I release my notes. This way I know nothing else on my forum got messed up or is at risk.

Thanks.

[Mysticales]

Just rem, there are 2 things to consider.
1: You patch like me and thus removing some function as it was designed.
or
2: You attemp to use html strippers, etc that should in theory negate any harmful script or text input.

Oh yea, forgot, there is a apache mod too for harmful scripts...

In a nutshell, I may give my users elements from the items, but I may disable things from it. All I know is nothing too major has come up yet with all the stuff I do. =) Just wish I had a way to upgrade to 3.6 without losing all my work.. sigh... thats the only reason I dont upgrade is because I have alot of custom coded work in there.