Hello ,
i have a chat script ,which working with many guest levels and many admin levels .
the problem that some people can run VBscripts which make them get authorities as admin while they are only a guest
he can run them via a browser called "SlimBrowser"
You can get it from the following link:
[login to view URL]
after you install it , you can check the problem
go to the following link (it is one of our chat rooms) :
[login to view URL]
Type any nickname (example : nickname = abcd ) then press the button.
and wait for loading , after loading it going to show a table contain room names choose any room
now you are in the chat .
Then go to View menu >> Explorer Bar >> Script Pad ,
Type one of the following codes
[**CODES**]
code to Change all Guest Nick names :
javascript:[login to view URL](top.ct.sel_uid,"Type new name here.")
code to Kick all users
javascript:[login to view URL](top.ct.sel_uid,"Type name here.")
show all users
javascript:[login to view URL](top.ct.sel_uid,0 -1, -1, -1, -1, 3);
force change your nick name :
javascript:[login to view URL]("Type name here")
get master ID :
javascript: [login to view URL] (top.ct.sel_uid, 0)
Kick all Guset users :
javascript:[login to view URL](top.ct.sel_uid,"")
Kick all Guset users :
javascript:[login to view URL](top.ct.sel_uid,"")
Close Room
javascript:[login to view URL] (rps=1001)
change PIC ( SetUserDef ) ...
call [login to view URL](4): newicon=3
fake logout
call [login to view URL]("logout")
sending msg and your are not on the room
call [login to view URL]("ur msg here")
vbscript hacks
get any room ID
javascript:alert([login to view URL])
[**CODES**]
Then press run script
it one of the small icons in the left pane
after it run you will get authority as same as admins ,
i want to disable those commands
I have attached the source code of the page need to fix that XSS on it
Note : we already disable admins feathers .