AV Arcade XSS Exploit

During registration, the user name field of the AV Arcade script is open to possible XSS attack. Code will be processed on the members page. The code can be overflown to the homepage fairly easily. XSS can be used.

I would now consider this as a serious exploit and suggest fixing this bug A.S.A.P (Edit: This exploit was fixed. Keep AV Arcade up-to-date!)

The fix

  • Backup then open yoursite.com/register.php
  • Find:
  • Add below:
  • Backup then open yoursite.com/admin/manage_users.php
  • Find:
  • Add below:
  • Save and upload all files.
  • Search your members list for any user names shown as code and delete (You could also I.P. ban them).

This function could easily be expanded for further validation. Thanks to dan20071 for letting me know about this!

Share this Story:
  • facebook
  • twitter
  • gplus

About Adam Davies

General nerd that started playing with web development in 2001.
Before reporting exploits in websites I broke software protection.