XSS Vulnerabilities

[Sterling]

Still love this script and appreciate the makers and supporters of it. I just wanted to bring to attention that http://demo.freearcadescript.net/search/ is vulnerable to hackers.  Just try using that search form with this input
"<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>" (without quotes). The rest of the site seems to be very strong though. Just thought I'd bring it up.

Cheers

[kurt]

You are correct. For some strange reason the search term is not getting run through the clean() function like it should be. Not sure how that happened. Easy fix though with no need to make much in the way of alterations or re upload the whole script.

In the template folder, find the file search.php and find

Code: [Select]


$keyword = mysql_real_escape_String($_POST['keyword']);



up near the top of the file and replace it with

Code: [Select]


$keyword = clean($_POST['keyword']);




I'll have to see if I can edit it and upload an new zip file tonight or tomorrow. Sorry about that folks.

[lopa]

&^#@ Hackers!

A couple of things.

mysql_real_escape_String - Has no Upper-case

clean isn't going to be around for much longer and possibly should not be used any more?

$keyword = strip_tags($_POST['keyword']);

Should return the same result as what you suggest with "clean".

But a filter like "preg_replace" everything other than (a-z : A-Z : 0-9) needs to be considered because if you don't check for an "empty" input, then stripping everything will cause search to loop and find every game file that is in the database.

In other words, even crap and hacking scripts need to be filtered to a point where "search" has some input and can return a "Not Found", rather than loop through the whole game files.

[Dillon]

clean is not a function in php its a function that they defined in functions.php

[lopa]

It's also the "Old Way of doing it"

search.php

Try changing this:

Code: [Select]

if(isset($_POST['keyword'])){
$keyword = mysql_real_escape_String($_POST['keyword']);

To:

if(isset($_POST['keyword'])){
$keyword = mysql_real_escape_string($_POST['keyword']);
// Remove tags
$keyword = preg_replace('/[<?*>]/is', '', $keyword);
// Replace HTML entities like &nbsp;
$keyword = preg_replace('/\b&[a-z]+;\b/', ' ', $keyword);
// Remove URL's
$keyword = preg_replace('/\b[a-z0-9]+:\/\/[a-z0-9\.\-]+(\/[a-z0-9\?\.%_\-\+=&\/]+)?/', ' ', $keyword);
That should give any hacking attempt some swish but also leave something to generate a "No Result".  

[Adam LaCombe]

The search feature should and will be totally re-done anyways. Its the most out dated and slowest way of searching a database lol.
I think I'll make a tutorial on how to setup full text searching. Much better solution to searching games and or any other data.

For sanitizing you can do what lopa posted, but all you would really need to protect you is the following..


function sanitize($string)
{
    $string = htmlspecialchars($string, ENT_QUOTES);
    return mysql_real_escape_string($string);
}


but when doing searches you probably don't wanna use htmlspecialchars() lol but for any other time you will want to use that to prevent XSS and SQL injection hacks.
Then when you need to display the data from the database in a textarea, say for a user to edit a "about me" section or something go ahead and decode it..
echo htmlspecialchars_decode($string, ENT_QUOTES);

- Please PM me any more suggestions for the next version or post them in the forums (All in one topic please). I know its taking a while, but I promise.. its gunna be a big change, and for the better.

[Dillon]

In my modified version of the script i was actually planing on recoding the search just havnt goten that far yet

[lopa]

but all you would really need to protect you is the following..

Kind of reminds me about a smarter person than I'll ever be saying:

"There's lots of ways to manipulate php, but you always have to run with the latest and make allowances for the "oldest", so don't buy a book on php - because it will either be outdated or deprecated before you ever get from the first page to the last.

Ain't it the truth?

LOL!

[lopa]

In my modified version of the script i was actually planing on recoding the search just haven't gotten that far yet

Going by your "other" post where you intend to release a somewhat modified version.

Is this a "new version or a forked and updated version" of free arcade script, because to be honest, I'm having a problem with what you are actually doing and who is going to be responsible for supporting it?

If it's forked (As in, if it includes an install script), then it probably belongs on a different website where you commit to supporting it as "Powered by ?? - Based on Free Arcade Script?

So when you say In my modified version of the script - Would you like to clarify what you mean by that?

[Dillon]

My modified version will include an install script and an update script its NOT an new version of the fas script i just figured y not share what i have and i will continue to update and support it as long as i use this script or until FAS come out with one that is better than mine features wise and then ill make a script to update from my script back to the newest version of FAS.