Krooze arcade

I tried contacting Bordeded (who by the way was doing some custom work for me long ago) and while he read his PM several days ago he has not responded. Therefore I am helping myself to posting this here.

A lot of people like Krooze but it has some serious security flaws which make it vulnerable to injections. One of my best friends is a PHP guru and he has looked at it for me. I am sharing his findings here in case anyone can see anything he missed.

He has agreed to work on tightening it up over the next several days.

WARNING: He is a PERFECTIONIST and goes to extreme measures sometimes. Many might say he is going overboard but that is him... he does it his way or no way at all.

Yeah, this arcade thing is a real mess. Here are the issues:

....

It won't let me post it here because he is showing examples of the bad PHP code. :-/

Ok here it is in another form. Thanks to septor as I remember he used Paste2 on another link.

[-link-]

Part of the problem with that plugin is data being sent into the database is not sanitized..

You need to process integers with intval() and everything else with $tp->toDB().

He brings up valid points, but they aren't the underlining problem.

As my final throw here, my PHP Dev has proven how weak the existing Krooze arcade is. He managed this in all of 5 minutes.

Any word on how it's going so far?

The friend who is working on it says he has started testing it but fell "ill." Perhaps it is more like "I really have better things to do with my life right now" but since he is doing it for free I don't push too hard.

I want this too so will poke him about it from time to time.

Ok, we have a new play.php. My friend describes his mods as such; "It is properly escaping the $_GET and $_POST super globals being passed to SQL queries."

You can download it from here: [-link-]

BACKUP play.php then unzip in the existing krooze folder.

I make no guarantees about the security of the rest of the plugin but if he says this will help, I imagine it will.

The other files have been fixed. You can get them here.

If you have trouble extracting -- stop using WinRAR, get 7-Zip.

Wow so many people wanted to use this and now that it's been made secure, where's the appreciation for Septors efforts?

This be a thankless job, bro. It's all good. I have a list of names of the people who request things that I make/fix that don't thank me. When I die I'll be sure to haunt them all.

Thanks septor

Thank You septor

ok mr septor where do i install this? in plugin? where?

The download septor gave above just contains the fixed files. You'll need to download the full plugin and install it like any other plugin.

ok Moc.... heres a question... can we add game to this?

You can, but you need to download/buy them from a third party. The kroozearcade plugin is just a framework that allows games to be added and played Google is your best friend in finding the third parties.

Firstly massive respect and appreciation to Septor for fixing this
If there is enough demand for games, then id be happy to offer them as download ( I have loads).
It will take a bit of time to get them uploaded tho

I wonder if anyone can help me with some issues

I have updated the plugin with the new files. The main arcade page is not showing on the site - Just a blank page where it should be: [-link-]

In the admin area the arcade menu pulls the theme from the site and not the one I have set for the admin theme. The admin navigation menus are all listed as ADLAN_52, ADLAN_53 ect. and lastly (not sure if this is because of security) there isnt an option any more for installing games when uploaded via FTP - everything has now to be done manually.

The other plugins I have installed are:
Ban Helper, Chat Box, Feature Box, Forum, Integrity Check, New Forum Posts, Newsletter, PHP FreeChat and Private Messenger.

Any help would be most grateful
Thanks

i have the games, i was only asking if you can add newer games to it,,, yes google is my friend for all my searches

I have same issue, I just use the old file for admin area since admins only one can access it, no need to really worry about security on admin pages since i am the only admin to acces them

but for the arcade main page i also get blank page.