AOH :: HP Unsorted S :: B06-3196.HTM

Somechess v1.5 rc1 - xss
Somechess v1.5 rc1 - XSS
Somechess v1.5 rc1 - XSS

Somechess v1.5 rc1


Affected files:

*Profile input boxes

Upon dumping the sql data into the table if you get errors and it wont create the tables & data (like it did to me), then just remove all the " from the sql file. You'll also have to manually add players & their pw's (md5 hashed) via phpmyadmin or whatever you use. Theres also a php error on menu.php that you'll have to fix since it won't allow you to connect to  the game DB

XSS vuln with session disclosure from "New name" profile input box.

Data isn't sanatized before being generated. PoC:


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to