CandyBlue is a premium template for AV Arcade v5.x.

Features:

• Professional layout
• Optimized advert intergration
• Full PSD
• Customized navigation menus
• Multi-language support
• Many small changes included

Demo:
www.abeon-arcade.com

Order:
https://www.abeon-hosting.com/billing/cart.php?gid=3

I’ll keep this short and sweet.
Get free Positive SSL and free Whois Guard with every domain name you register!
With the added bonus of the cheapest rates about, you can’t complain!

I have used many different domain companies over the years I’ve been into programming and to be honest they are all pretty much the same apart from price. Some provide bad support, but as a whole there all equal.

So getting free stuff included like a free Positive SSL certificate and free Whois Guard with every domain name you register is a nice bonus!

.info – $2.99/yr &nbsp (Limited Time Only!)
.com – $9.98/yr
.net – $9.98/yr
.org – $8.88/yr
.mobi – $7.99/yr
.biz – $9.69/yr

Name Cheap

I have recently switched back to version 3.6.3 of the WebWoW CMS (using the web creator v1) as the latest version just doesn’t seem ready yet.

I had problems sending in-game mail with the older version of WebWoW as I had disabled Remote Access in Mangos as the port being opened didn’t seem necessary.

I didn’t like the way telnet was forced instead of a web interface, so I replaced the telnet mail system.

The only error I saw was “Remote Login Problem:”, apparently caused by incorrect settings. I knew the problem was remote access so I patched the system to use SOAP.

I have edited the mail system in WebWoW so it can be used to send anything including money, items, support tickets, postcards, and more. So getting it working was top of my list of things to do!

Below is how to get it working:

1 – Enable SOAP in your mangosd.conf file.

2 – Open:
includes/core/mangos_sendmail.php

3 – Replace:
The sendmail function, below:

4 – With
The following function:

5 – Change the username, password, host, and port (in the code above):

To a relevant account with admin access and you’re all set.
This modification will allow you to use SOAP instead of Remote Access and should work exactly the same.

The code isn’t amazing but works perfectly and will be updated soon to include some form of map with the actual players locations indicated.
Stay tuned for updates

WebWoW Players Online Module

1. Upload the contents of the folder to your website’s root.
2. Login to your WebWoW’s admin panel / Menu Manager.
3. Add a link with the following information:
4. URL: ./?page=online

            Download Players Online Module

I will probably make a few mods and hacks for the CMS as it’s a great project with a nice style and ethos.
This simple modification will place a captcha on the registration page to help prevent spam, bots, and fake registrations.

After about 10 minutes of setting the WebWoW CMS I started to get bot registrations indicated by the spammy usernames and lack of activity.
Hopefully this will be of use to someone

Only two files edits are required so it shouldn’t take more than 5 minutes to implement.

WebWoW Registration Captcha Mod

Please remember to backup any files before editing!

1 – Open: engine/func/session.php

  1a. Find: (about line 324)

        Change To:

 1b. Find: (about line 397)

        Add BELOW:

2 – Open: engine/modules/register.php

 2a. Find: (about line 26)

        Replace with:

 2b. Find: (about line 109)

        Add BELOW:

 3. Upload: /captcha/ folder to your site root

            Download Captcha Files

Please let me know if you find any errors or have any problems.

The area usable for containing the games in AV Arcade’s default template is about 650px, which is fine for most games. Some other templates, on the other hand, use an area a lot smaller to contain the main Flash Game.

Some games I have on my Online Arcade Games site use a width of up to 800px, which can over lap the sidebar and hide their content.

It’s a simple problem to fix and can even help boost your arcade sites earnings a little…

The Fix

Upload a button or picture to:
*Yoursite.com*/templates/*YourTemplate*/images/play-fullscreen.png

Open:
*Yoursite.com*/content/game.php

Search For:

Add Above:

The above code will check if the game width is higher than 640px.
If 640px + then it will create a popup window with the game inside. It pulls the game URL and size from the SQL database.
When someone clicks the button the page will reload. So you should generate twice the adsense earnings from theses games… Which is a bonus.
You could link to the built in full screen mod, but I could never get it to act how I wanted.

I have been asked a few times about this, so thought I’d post a fix.
Hope someone finds it usefull.

This is largely due to the “Post Revisions”, which get auto-saved.
If you edit a post a few times, a huge list of revisions gets saved to the database. You can see these at the bottom of the post editing page.

This post has easy methods to disable and delete the post revisions, which are automatically cached by WordPress.

If you don’t use or need the post revisions which Worpdress has already saved for you, then you can delete them all by using the SQL query below:

You can also disable it from executing to start with by opening wp-config.php in your blog’s home directory.
Search for:

And add this under it:

There is also a great WordPress Plug-in called WP-CMS Post Control, which gives you more control over how posts are edited.
This great WordPress plugin will allow you to:

• Force standard browser upload instead of Flash upload
• Turn off the revisions feature
• Turn off the auto save feature
• Create a collapsable message panel that appears below the write panel
• Control which options are shown on the post page

I prefer to use the manual method, as too many plug-ins for WordPress can cause problems.

I don’t know anyone that has found the post revisions that WordPress saves, usefull.
Maybe in a future edition (v2.7 hopefully), they will include an option to disable from the admin control panel. But untill then thousands of blog owners will have to do it manually or use a plugin!

There a are some simple steps which you can take to prevent most of these.
This article will go over some of the fundamental XSS attacks and how to stop them.

As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack “everything looks fine” to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss.

Cross-site scripting (XSS) is, in short, a way of injecting code by a malicious web user. The code can be used for anything from displaying a persistent pop-up or crashing the browser, to including remote files to run scripts and steal cookies!

What code do I need to sanitize?

What will this magical code look like?
That’s an easy question to avoid as there are many ways to mess with a website that gives permission to post raw code! Not all XSS attacks will work on all websites or even all broswers. So you may see someone testing with strange looking code before you see some, if any, form of attack.

For this reason, I think it’s best to implement some form of BBCode system.
But more on that later…

A few common XSS codes could include…

Most of these examples will just show an annoying pop-up saying “XSS”, but could be used for more malicious purposes.

If any of the above XSS examples are allowed to be displayed as output from your page, you have could have serious problems!

As mentioned above, there are MANY ways to abuse a website that doesn’t check what your posting or submitting.
It may seem like a good idea to ask for visitors comments or asking for an email address for news subscriptions, but it’s worth checking what content will be displayed when the form is submitted.

How can I prevent XSS attacks?

Any code that can be submitted by a user should be validated or filtered in someway. Steps need to be taken to ensure malicious code can’t be executed on output.

Non-crucial pages like a confirmation page don’t need full validation. But, if a feedback form is allowed to go unchecked it could mean a cookie stealer gets injected and your customers details get stolen!

Generally speaking, it’s best to validate of any forms or inputted data submitted to your web site. Validating the data on input (rather than output) not only helps prevent possible attacks more effectively, but also makes sure only clean code gets entered into the database.

There are other benefits to cleaning up the code before it gets entered into the database. One great advantage is clean output to an administration section.

Let’s take my Free Online Arcade as an example:
If I decided to ask for visitors to submit games to the website, I could just use a simple textbox to ask for the embeddable code to be entered. If the submitted content wasn’t validated in some way an attacker could inject a cookie stealer to hijack the administrators session! Flash code would not even be required if no form of validation is used, so I could just use embed a cookie stealer and a game together.

In an idea world, ever input field would be validated to ensure clean output. But that can be very time consuming.

When accepting data from a user, any data at all, it should be sanitized before making its way to your database.
…..
We’ll scan through the input, searching for anything that shouldn’t be there, like html code, <script> tags, etc
…..
To use, we simply pass any input to the function. The function works on single strings, as well as deep arrays.

Denham Coote’s Blog has a great article on Stripping out malicious code for PHP, which is easy to implement and very effective.

Whenever you make a form you should not leave it alone without any form validation. Why? Because there is no guarantee that the input is correct and processing incorrect input values can make your application give unpredictable result.

Form Validation With PHP covers the subject in a little more detail. The article includes full source code and examples.

Closing Notes

To sum it all up… Trust No One!
Try to validate any code that will be submitted to the database or displayed on the website, even if only to remove the script tag.

In my opinion it’s a good idea to try and think like a hacker. Spam test your site before putting any changes in place. Try to execute some annoying javascript. Could you include remote javascript files? Will malformed tags allow injection?

If you can do it, the hackers can generally do worse!

to the end of any URL that is a PHP page, you will see a funny picture on most servers. Also on April 1st (April Fool’s Day), the picture will replace the PHP logo on any phpinfo() page. If the PHP directive expose_php is set to be “off” in php.ini, then the PHP eggs will not show, but it is “on” by default, and many webhosting servers do not change it.

If you see such a URL in your website logs, it may be because someone is trying to determine if your server is running PHP and attempting to discover weaknesses in your system. By setting expose_php = off in the php.ini configuration file, you will reduce the amount of information available to them. If the PHP easteregg is active (the URL shows the image), then scanning the website with Nitko web server scanner will give the warning message, “PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.”

These are the four QUERY strings you can add to the end of a PHP web page to view a (somewhat) hidden image or web page:

(1)

This one is the most interesting, and displays an “easter egg” image of either a rabbit in a house, a brown dog in the grass, a black Scottish Terrier dog, a sloppy child-crayon-colored php logo, or a guy with breadsticks (looks like pencils or french fries) sticking out of his mouth like a walrus. The original dog was Stig Bakken’s (Stig is one of the PHP developers); the newer dog is Zeev Suraski’s dog (the link goes to his blog entry about the dog, called Scotch or Scottie, that died August 30, 2005); and the guy is Thies Arntzen (the logo image was taken from a picture from the PHP Developers’ Meeting that the PHP Group held in January 2000). The five images are shown below. Anyone know whose rabbit it is, or more details on these? The black dog, colored logo, and rabbit pictures are 10 pixels shorter than the other two images.

(2)

This is used by the phpinfo function to display the PHP logo, but works on other PHP pages.

(3)

This is used by the phpinfo() function to display the Zend logo, but also works on other PHP-parsed pages.

(4)

This displays the PHP development credits, and is linked to from any phpinfo() page with text “PHP Credits”.

The only truly hidden image is the first one above. The other three are called from the web page produced by the phpinfo() function.

For the first code above, other online sources claim it displays a rabbit in PHP versions 5.0 and 5.01, a dog in 4.3.0 and higher (below 5.0), and the funny PHP coder guy in PHP versions 4.0 through 4.2.3. Below are the images I saw for these PHP versions:

PHPCODER GUY WITH BREADSTICKS (Thies C. Arntzen):
PHP Version 4.0.1pl2
PHP Version 4.1.2 *
PHP Version 4.2.2 *

BROWN DOG IN GRASS:
PHP4u Version 3.0, Based on PHP-4.3.2
PHP Version 4.3.2
PHP Version 4.3.3
PHP Version 4.3.8
PHP Version 4.3.9
PHP Version 4.3.10

BLACK SCOTTISH TERRIER DOG:
PHP Version 4.3.11
PHP Version 4.4.0
PHP Version 4.4.1
PHP Version 4.4.2
PHP Version 4.4.3
PHP Version 4.4.4
PHP Version 5.0.5-2ubuntu1.1
PHP Version 5.0.5-pl3-gentoo
PHP Version 5.1.0
PHP Version 5.1.2

RABBIT:
PHP Version 4.3.1 *
PHP Version 5.0.0 *
PHP Version 5.0.3 *

COLORED PHP LOGO:
PHP Version 5.1.4
PHP Version 5.2.0

The first code above, ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42, is returned by the hidden function (undocumented in the php.net online manual) php_egg_logo_guid(). PHP_EGG_LOGO_GUID is defined as a preprocessor macro in php-src/ext/standard/info.h, line 54, and referenced in 3 files:

php-src/ext/standard/info.c (lines 988 and 1032)
php-src/ext/standard/info.h (line 54)
php-src/main/php_logos.c (line 59).

Below are the four codes’ definitions in the php source within php-source/ext/standard/info.h (lines 53 to 56):

But guess what… At the end of the flash game you can optionally submit your score to the highscore server, which results in a POST to the file submithigh.php with several parameters, one parameter saying score=XXXX. And of course you can submit whatever score you want. So now I lead the highscore with 10000 of about 900 possible points. I set it that high to ensure that the guys at the ISP will realize that this is faked, but imagine I had just increased the current highscore by 10. I seriously doubt anyone would have noticed and I would have won the competition without even decompiling the flash.

[ Original Post From php-security.org ]

======
Even simple mistakes can cause a lot of trouble.
Think if all the top scores on every game game were hacked to show obscene comments!
It’s best to try and think like a hacker when creating public content