Register Members List Search Today's Posts Mark Forums Read

 
 
Mod Options
  #1  
Old 22 Jul 2006, 09:38
FatalBreeze FatalBreeze is offline
 
Join Date: Apr 2004
Real name: Aviad
major security hole in uShop

Hi guys, i've noticed that if im in the shop and uses this link:
.../ushop.php?do=richestusers&page=<script>alert("Owned%20By%20FatalBreeze")</script>

it works!!

maybe we should just add intval() or something like that?

as a noob coder im not exactly aware of the consequences this may have, but i guess they are pretty harsh.

btw, im using the latest version of uCash&uShop on vB 3.5.4.

Last edited by FatalBreeze; 22 Jul 2006 at 09:46.
Comments
  #2  
Old 22 Jul 2006, 14:02
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
uCS is no longer supported, or developed and we've already made refrences to move off of it.
__________________
Looking for ImpEx?
 



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 07:08.

Layout Options | Width: Wide Color: