idk what stripslashes() was doing in there, but it was definitely a bug (there's no way the slashes in there, if any, had no purpose and could just be discarded.. right?)
in addition, post data with keys containing special characters (if any) was incorrectly encoded. a correct encoding loop goes like:
foreach ($_POST as $key => $value) {
$req.="&".urlencode($key)."=".urlencode($value);
}
but the original code was only encoding the value, not the key... but even better than a custom encoding loop is to just use http_build_query(), which does the entire encoding loop for us :) so that's what i changed it to.
* add html encoding function
* html-encode dynamic values
important if the values contain special characters like '&<>"
(for example if $config['site_title'] is `AT&T` or `<AWESOMESERVER>`, the old code would generate invalid html, but this updated code will generate valid html.)
the powergamers page was vulnerable to XSS/javascript injection, this should fix it.
XSS screenshot: https://i.imgur.com/4rJuWqY.png
XSS POC:
<form action="https://<censored>/powergamers.php" method="POST">
<input type="hidden" name="days[]" value="3" />
<input type="hidden" name="days[]" value="1<script>alert("XSS running!");</script>" />
<input type="submit" value="click here to start xss" />
</form>
Security issue reported by @slawkens
All wifi traffic is broadcasted - this means that any nearby sniffing devices can read your traffic. If you're connecting to a page through HTTP over public/unencrypted wifi you can assume that whatever information you are sending and receiving is public - all it takes is an attacker nearby with an antenna to read all that in plaintext. To perform a true MITM by having traffic flow through them, attackers can use technologies like WiFi pineapples or aircrack-ng to force users to connect to their wifi network.
Connecting over cable internet is much harder to intercept/mitm because you're not broadcasting your traffic for the whole neighborhood. In order to compromise this network an attacker will have to gain access to it somehow - either through physical access to a network port, malware installed on a host machine or router, etc. When an attacker has access to a network they then have to exploit that access through attacks such as ARP poisoning or HSRP spoofing. These attacks just MITM traffic - anyone on the network can still sniff (read, but not change) traffic, but keep in mind HTTPS traffic is still encrypted and can't be read.
https://security.stackexchange.com/questions/153148/how-easy-it-is-to-actually-perform-mitm-attack-these-days
When storage_account_id is not configured in config.php and people want to try the character auction system
Give them an error message instead of a query crash. Telling them to edit config.php properly.
There is no need to create a separate configs for OTHIRE when establishing an SQL connection,
and is confusing for new users who are configurating their webserver.
* Update toponline.php site_title and type
Parse error: syntax error, unexpected 'site_title' (T_STRING), expecting ',' or ';' in C:\xampp\htdocs\znote\toponline.php on line 40
Notice: Undefined index: type in C:\xampp\htdocs\znote\toponline.php on line 10
* Add OTServers.eu voting
* Hide voting by default and use simple vote url if the user isn't logged in
* Fix indentation
* Convert to tabs
* Convert to tabs
* Preparing compatibility to OTHire
* Still working on compatibility to OTHire
* More compatibility
* More compatibility
Not tested yet
* Some fixes
- Fixed Account Creation.
- Fixed a problem that you can't load the website, that include that you can now recover your account number.
* More fixes
- Fixed character creation.
- Fixed login problem.
- Fixed displaying account number in My Account.
- Fixed displaying if you have premium days or not in My Account.
* More fixes
- Handle Kills/Deaths as TFS_03
* More fixes
- Fixed showing outfits in character profile
- Fixed displaying player houses in character profile
- Fixed displaying guilds
* Update init.php
* Prefix http or https if user hasn't explicitly set
Adding this because href prefixes the server's url if http:// or https:// is not provided.
* Fixed whitespace
