Service Interruption

Apr 20 2009, 09:54 PM

At 10:30 PM there was a service interruption. Our system was turned off to avoid improper shutdown before the UPS systems became exhausted. The server was rebooted once they became charged. Things will be a bit slow as the system warms up again and reloads all the sites into memory.

We apologize for any inconveniences.

PHPQA Sec Update

Apr 20 2009, 06:49 PM

Today I've issued a security update release for PHP-Quick-Arcade (3.0.21). This addresses a few security problems found by a user who alerted me about them via IRC (Name: mib_xqe8za), one being serious so please apply these updates as soon as possible. The update does NOT contain any bugfixes or new features.

This is a serious one, so make sure you do the Arcade.php edit below. In Arcade.php, find:

QUOTE
$countquer = run_query("SELECT gamecat FROM phpqa_games $fav_quer".($_GET['cat']?" WHERE gamecat='".$_GET['cat']."'":""));

Add directly below:

QUOTE
// Patch - 04/20/2009

if($_GET['by'] || $_GET['by'] =="") {

if($_GET['by'] != "game" || $_GET['by'] !="gameid" || $_GET['by'] !="about" || $_GET['by'] !="Champion_name" || $_GET['by']=="") {

$_GET['by']='game';

}

}

This one is a potential problem, but not confirmed. Just apply it anyway, it stops an error message if it's messed with. Find:

QUOTE
if (!mysql_fetch_array(run_query("SELECT id FROM phpqa_games WHERE gameid='".$_POST['gameid']."'"))) die("Ha! Like I'd leave myself open to THAT one");

Add above:

QUOTE
// Patch - 04/20/2009

$_POST['gameid']=htmlspecialchars($_POST['gameid'], ENT_QUOTES);

Save and close Arcade.php, all done.

Next one is minor because they can only be run by somebody with mod/admin access, fix if you want. You can still upload php files and all that anyway so you just need to take care of who you make arcade admins.

In acpmoderate.php, find:

QUOTE
$ArcadeCSSOpen = fopen("./banned.txt","w");

Delete the line directly below it, and replace it with;

QUOTE
fputs($ArcadeCSSOpen,htmlspecialchars($_POST['cssforarcade'], ENT_QUOTES));

You can do the exact same to acp.php if you wish as well.

Alternatively you can go to http://quickarcade.jcink.com and download the files, upload Arcade.php and acp.php to get the update if you have not modified the arcade files.

Let me know if you have any trouble applying the update or have any questions.

Thanks.

Happy Birthday Jcink.com

Apr 16 2009, 05:00 AM

Jcink.com celebrates 9 years of being online today!

Thanks to everyone; without all of the great community support and feedback, we would not be here right now. We look forward to many more years of services - here's to it!