[FIX] XSS Issue

[Trayne01]

Hello...
One of my customer and a friend was forced to call me at 00:41 am GM+1 because of an xss issue from an other server, do you think that it is normal ?

I mean, the problem is not that I am supposed to sleep during the night, or supposed beeing retired from shaiya server for personal reasons, the problem is that, why the hell guys are you using these kind of scripts ? (from I think, but I would not say things like that as I am a little respectfull)

So.. where is the point of my post?



If you see something like that in your website, and if you are using sarest-based webscript, here is the fix:

1) Open your htdocs/inc/pdoConnect.php
add these lines at the end of the file:

PHP Code:

require_once '../lib/HTMLPurifier.auto.php';

$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config); 


2) Extract the htdocs.rar in your htdocs

3) thats it

If you want to check an XSS issue in an SQL Table type this is SSMS:

PHP Code:

SELECT * FROM Website.dbo.Chat WHERE message like '%<%%%>%' ORDER BY Time DESC 


and have fun... You'll also be able to get the ip of the man who did that... But please ignore it.

Feel free to use the HTMLPurifier lib for other scripts.. In fact you should use it at each sql to html output.

PS: Guys, this community should be a minimum mature.... Maybe that I will force the next servers that use these kind of attack to close in the future. Don't start hacking if you don't know how to do it...

[IlusionXtreme]

Very good thank you

[beetols]

I'm a bit confused about this thread.. does it say that you sold my scripts to a costumer of you and he founded a javascript injection on it, or that this friend of you is using my files that he got from a doubt source so he could not contact me?!??

I already fixed this problem time ago and i give this kind of support to any of my costumers, so about this, i support this thread.. If you didn't bought my web-scripts directly from ME, don't use them!

[Velocity.]

Quote:

Originally Posted by beetols

I'm a bit confused about this thread.. does it say that you sold my scripts to a costumer of you and he founded a javascript injection on it, or that this friend of you is using my files that he got from a doubt source so he could not contact me?!??

I already fixed this problem time ago and i give this kind of support to any of my costumers, so about this, i support this thread.. If you didn't bought my web-scripts directly from ME, don't use them!

please tell me, where does it say that he sold the script to him?

Quote:

Originally Posted by Trayne01

why the hell guys are you using these kind of scripts ? (from Sarest I think/)

it says that one of his customers was having a xss issue and that he thinks it was you're script. just clearing things up.

[beetols]

Quote:

Originally Posted by Velocity.

please tell me, where does it say that he sold the script to him?



it says that one of his customers was having a xss issue and that he thinks it was you're script. just clearing things up.

He sold this website to shaiya arcania with my scripts on it (you can see it on the screenshot).. it's the minimum that this guy go to him for a fix.

Funny thing is: why the hell you guys are using this kind of scripts.... And he is the one who solded it.. my comment up here was ilarius velocity.

[Trayne01]

Quote:

Originally Posted by beetols

He sold this website to shaiya arcania with my scripts on it (you can see it on the screenshot).. it's the minimum that this guy go to him for a fix.

Funny thing is: why the hell you guys are using this kind of scripts.... And he is the one who solded it.. my comment up here was ilarius velocity.

Why the hell would I sell your *outdated* files while I was already developing my own since 2015?
Presented .

First release ? .

Probably when you was still selling your *outdated* files without a single update.

Maybe an will explain my intentions? As I was not selling *outdated* files, I was also often updating mine. And the only *bonus* that my got, was an game icon parser and a home-made web mall.

But anyway, I even released this paid version for free . As I don't care about money.

Your *outdated* website files was stollen dozen of times and a lot of ADM was using it as website base.
This is also why I had to release my ShCMS, to stop this fucking sharing of *outdated* files.

Please try to stop giving argument without decent proof, it is not that nice.


Have a good day.

[beetols]

yes, I made this chat 4 years ago, is very outdated.
Sorry, my mistake probably, there is another Trayne somewhere that sold out my outdated files to AuronCrow the owner of shaiya arcania..


TRANSLATE:
[20:06:37] Sarest: But did you contact Trayne for a bug in the chat right? in the website he sold you?
[20:08:28] AuronCrow: yes

I'm not falling in your trick again like on chrismast (where you moved the conversation from "sell scripts from another" into "a single script possible get injection"), epvp members can think what ever they like, but this doesn't change what's happened and doesn't make you more adult.

PS: I'm tired of this discussion with you, I'm happy for you that you have your new job and "new life" and i really hope you are enjoing it, and is stupid stay here and waste our time about this.. if you want to be the good guy, continue to discredit me.. anyway I'll stop here.

[Trayne01]

Quote:

Originally Posted by beetols

yes, I made this chat 4 years ago, is very outdated.
Sorry, my mistake probably, there is another Trayne somewhere that sold out my outdated files to AuronCrow the owner of shaiya arcania..


TRANSLATE:
[20:06:37] Sarest: But did you contact Trayne for a bug in the chat right? in the website he sold you?
[20:08:28] AuronCrow: yes

I'm not falling in your trick again like on chrismast (where you moved the conversation from "sell scripts from another" into "a single script possible get injection"), epvp members can think what ever they like, but this doesn't change what's happened and doesn't make you more adult.

PS: I'm tired of this discussion with you, I'm happy for you that you have your new job and "new life" and i really hope you are enjoing it, and is stupid stay here and waste our time about this.. if you want to be the good guy, continue to discredit me.. anyway I'll stop here.

As far as I remember, AuronCrow was in need to keep your outdated files, Idk why he didn't liked my own CMS. So I only sent him a design and few upgrades for your for cheap. (It is also why I said "One of my customer and a friend " in my thread)
A lot of ADM that was contacting me already got your outdated website (I think it was stollen too many times), or sometimes they already contacted you before they call me. Like the shaiya divine . org owner few times ago.

I just think that is time for making peace, as you said, this chat script is more than 4 year old, I know that you would not leave an XSS injecion on your "modern" scripts.

And there is not that much WEB dev around in shaiya. I Know about Lube, you, and maybe me, and is thats all ? This is why we should be our best to collaborate instead, and in fact, I'll be glad to talk about shaiya WEB development on skype with you.