Thanks for your information.

i am also looking forward to get source code of the current version and the related version.

Have a great day!

Thanks for your quick reply.
I would definitely like to have a look in the code and try to understand the issues and fix it.
Can you please send across the source code of the current version and also the released version (which I suppose is not the current one)

Thanks.

/
Anshuk

Yes I’ve released the current version however it isn’t final yet as there are still some issues I need to fix. There are a couple of vulnerabilities like multiple urls and external source inclusion.

I wouldn’t recommend using this version and as soon as I find time I’ll sort it out. If you want to work on the code let me know and I’ll supply you with the current source and provide you with credit if you fix it.

Thanks

Have you released the code for the JSCK?

/
Anhsuk

Oh yeah no doubt they could get the key with XSS but why bother? If they have found XSS then they have complete control anyway.

so only inserts a hidden field,it will solve this problem?

And if the site have a xss hole, attacker coulde get the random key,like this:

xmlhttp.get(Turl+”admincp.php?action=members”,function(s) {
var reg = /name=\”formhash\” value=\”([\w\d]+)\”>/i;
var arr=reg.exec(s);
var formhash=arr[1];

Furthermore, due to the fact that the same token is used for every URL, no two links can be clicked from the same page without reloading it, which isn’t a very good solution at all IMO.

but it look so….