Ohai.
Before you give a feedback, think wise. Some kids don't understand php. Otherwise, this will be easy to fix for everybody. It are simple Persist Cross-site-scripting Injections.
The non-persist (Clientside)
Change you're mission. Just try to put in:
<script>alert('lol')</script>
How to fix?
Open me.php, and search for:
The code that you found. Well, let's replace it with:
<div class="Usersmotto" style="min-width:200px; min-height:30px;"><?php echo .$core->EscapeString($users->UserInfo($username, 'motto')); ?></div>
Cross-site-scripting at staff.php
You are a Staff Member? Okay, then you can do this. Again edit you're motto. and write something like this:
PHP Code:
<script>alert('lolwut?')</script>
And enter. Now go to the Staff Page. And you will see there will be a alert.
How to fix?
Go to staff.php
Search for:
PHP Code:
<div class="Usersmotto"><?php echo $staff['motto']; ?></div>
And replace that with:
PHP Code:
<div class="Usersmotto"><?php echo .$core->EscapeString($staff['motto'] ); ?></div>
Okay, the last Cross-site-scripting leak is in home.php
Let's say, you make a room. Just rename you're room in something like this
PHP Code:
<script>window.location="URL HERE!"</script>
Go to you're homepage. And you will see that the page is redirected.
Fix:
Openhome.php
Well, now search for:
PHP Code:
<strong><?php echo $userroom['caption']; ?></strong><br /><br />
And replace it with:
PHP Code:
<strong><?php echo .$core->EscapeString($userroom['caption'] ); ?></strong><br /><br />
Okay, goodluck with this.
Cya.