What is an XSS vulnerability? And does that mean it won't work at all even tho it's installed on my forum?

Sheesh... this is a bummer - I'm eager to get my forum "live" and yet here is another delay... ACK! lol

But BTW, did you ever have the jackpot issue I mentioned?

It will still work if you keep it installed. However, the vulnerability can open your site up to being hacked. So, I would strongly recommend you uninstall.

I'd either like to see the vuln so I can patch it myself, or see a patch released. My members are acting like they can't live without getting a few cents per post.

Well the author contacted me btw, I gave him the info I have. Also, yes I know about the XSS one too. If you wanna patch that real quick like, Goto the "Manage Items" and for "Donate" set it to "No" for Send PM to user.

Thats one of em. The most common used. I wont say what the user could do since I dont know if its allowed or not. But yea, that should set you back up.

Either way was a couple things I patched for and so far smooth sailing again. Will wait for the author to reply back again.

Oh I will say this, should someone need me, just send me a PM or so, Ill see what I can do. Only reason I dont post anything is cause I am not sure its my place to say it out in public or release a patch without the authors ok.

did u get ibpro and vbplaza to successfully give out and deduct points?

Hrm.. I mean seems to work for me, I mean arcade works fine, normal users can buy arcade passes and then pay per play while subscribed users get it for free. I mean if you wanna see the work I do, http://forums.qj.net

well the donate is not the only problem btw
you can reproduce the same bug with all things that send pm. (gift, ribbon etc, where the user is typing a message)
the simplest method to fix this is clean the input as i had written in the other thread.
The only problem being that only the author or the admins would know of any other vulnerabilities apart from this one, thats why we can't claim that it is a fix.

The main issue basically is that it doesnt have certain text input checking... which I added on mine to avoid it. Yes the author has to be the one to look at it, however if not, we may just release the patch.

Basically I think the biggest thing is to not allow it to use any form of scripts or ascii that isnt standard.. that would solve alot right there.

thats what i said.. instead of strip tags just make that htmlentity and it will protect you from xss exploit. You have to do that at 5-6 places. (HERE)
the only issue being if someone can confirm thats the only issue .. lol

If that's the fix to it, can somebody post the zip? I have to reinstall it but I can't find it anywhere...