Inserting a <script> in to my newsticker how? The player is Not allowed to

TKO · Jul 10, 2010

How can a player insert <script> in to my newsticker with out having Acces for it?

Derek Boom Boom · Jul 10, 2010

By URL ($_GET variable) + simple JS redirect.

TKO · Jul 10, 2010

any how you can block this for happening?

Derek Boom Boom · Jul 10, 2010

Drop News Ticker or use htmlspecialchars() for news ticker function or protect news ticker function so you have to have some access.

stian · Jul 10, 2010

Add the security option.

devianceone · Jul 10, 2010

You have quite a few security issues with your site besides inserting <script> into a news ticker you should look into.

Masterpako · Aug 11, 2010

i have the same problem, and someone is hacking me!
how i can fix this?

Masterpako · Aug 12, 2010

Masterpako · Aug 12, 2010

devianceone · Aug 12, 2010

This is a old thread, the solution for news ticker has been posted multiple times. Use search or look in the web related categories, its there.

Sonical · Aug 12, 2010

I have latestnews.php which has disabled tickers. Pm me if you are iinterested.

Masterpako · Aug 12, 2010

why pm?
i need solutions :S

Sonical · Aug 12, 2010

lawl
Latestnews.php without tickers, should work against hacking

PHP:

<?PHP
//######################## SHOW TICKERS AND NEWS #######################
$main_content .= '	</tr>
</table>';
if($group_id_of_acc_logged >= $config['site']['access_admin_panel']){$main_content .=  '<a href="?subtopic=forum&action=new_topic&section_id=1">Add new news</a>';}
$zapytanie = $SQL->query("SELECT `z_forum`.`post_topic`, `z_forum`.`author_guid`, `z_forum`.`post_date`, `z_forum`.`post_text`, `z_forum`.`id`, `z_forum`.`replies`, `players`.`name` FROM `z_forum`, `players` WHERE `section` = '1' AND `z_forum`.`id` = `first_post` AND `players`.`id` = `z_forum`.`author_guid` ORDER BY `post_date` DESC LIMIT 3;")->fetchAll();
foreach ($zapytanie as $row)
{
         $BB = array(
		'/\[b\](.*?)\[\/b\]/is' => '<strong>$1</strong>',
		'/\[quote\](.*?)\[\/quote\]/is' => '<table cellpadding="0" style="background-color: #c4c4c4; width: 480px; border-style: dotted; border-color: #007900; border-width: 2px"><tr><td>$1</td></tr></table>',
		'/\[u\](.*?)\[\/u\]/is' => '<u>$1</u>',
		'/\[i\](.*?)\[\/i\]/is' => '<i>$1</i>',
		'/\[url](.*?)\[\/url\]/is' => '<a href=$1>$1</a>',
		'/\[img\](.*?)\[\/img\]/is' => '<img src=$1 alt=$1 />',
		'/\[player\](.*?)\[\/player\]/is' => '<a href='.$server['ip'].'?subtopic=characters&amp;name=$1>$1</a>',
		'/\[code\](.*?)\[\/code\]/is' => '<div dir="ltr" style="margin: 0px;padding: 2px;border: 1px inset;width: 500px;height: 290px;text-align: left;overflow: auto"><code style="white-space:nowrap">$1</code></div>'
		);
		$message = preg_replace(array_keys($BB), array_values($BB), nl2br($row['post_text']));
        $main_content .= '<div class=\'NewsHeadline\'>
		<div class=\'NewsHeadlineBackground\' style=\'background-image:url('.$layout_name.'/images/news/newsheadline_background.gif)\'>
		<table border=0><tr><td><img src="'.$layout_name.'/images/news/icon_1.gif" class=\'NewsHeadlineIcon\' alt=\'\' />
		</td><td><font color="'.$layout_ini['news_title_color'].'">'.date('d.m.y H:i:s', $row['post_date']).' - <b>'.$row['post_topic'].'</b></font></td></tr></table>
		</div>
		</div>
		<table style=\'clear:both\' border=0 cellpadding=0 cellspacing=0 width=\'100%\'><tr>
		<td><img src="'.$layout_name.'/images/global/general/blank.gif" width=10 height=1 border=0 alt=\'\' /></td>';
		if($group_id_of_acc_logged >= $config['site']['access_admin_panel'])
		{
			$main_content .='<td width="100%">'.$message.'<br><h6><i>Posted by </i><font color="green">'.$row['name'].'</font></h6><p align="right"><a href="?subtopic=forum&action=remove_post&id='.$row['id'].'"><font color="red">[Delete this news]</font></a>  <a href="?subtopic=forum&action=edit_post&id='.$row['id'].'"><font color="green">[Edit this news]</font></a>      <a href="?subtopic=forum&action=show_thread&id='.$row['id'].'">Comments: '.$row['replies'].'</a></p>';
		}
		else		
		{
			$main_content .='<td width="100%">'.$message.'<br><h6><i>Posted by </i><font color="green">'.$row['name'].'</font></h6><p align="right"><a href="?subtopic=forum&action=show_thread&id='.$row['id'].'">Comments: '.$row['replies'].'</a></p>';		
		}
		$main_content .= '</td>
		<td><img src="'.$layout_name.'/images/global/general/blank.gif" width=10 height=1 border=0 alt=\'\' /></td>
		</tr></table>';
}

?>

Also in config.php
add

PHP:

$config['site']['access_tickers'] = 2;

Rep++

Masterpako · Aug 13, 2010

@Sonical

Thanks so much.

Repped +

Inserting a <script> in to my newsticker how? The player is Not allowed to

TKO

Syphero Owner!

Derek Boom Boom

*

TKO

Syphero Owner!

Derek Boom Boom

*

stian

Banned User

devianceone

Lua Scripter

Masterpako

Infernia.no-ip.org Owner

Masterpako

Infernia.no-ip.org Owner

Masterpako

Infernia.no-ip.org Owner

devianceone

Lua Scripter

Sonical

Inactive

Masterpako

Infernia.no-ip.org Owner

Sonical

Inactive

Masterpako

Infernia.no-ip.org Owner

Similar threads