Recently, I was informed of an XSS problem in SMFShop. If you have been affected by this problem, your forum will redirect to another site when you visit it.This was caused by several items not correctly sanitising user-supplied input. To fix this problem, please replace the following files in your SMFShop installation's Sources/shop/items directory
ASAP:
ChangeDisplayName.phpChangeUserTitle.phpChangeUsername.phpChangeOtherTitle.php(right-click each link, choose "Save Target As" or "Save Link As", save the files to your computer, and then upload them via FTP to your siteIf you are unable to do this immediately, please
remove any said items from your shop to prevent your site from being exploited.
If you were exploited, please run the following queries in phpMyAdmin. This will set all user's display names back to their username:
SMF 1.1:UPDATE smf_members SET realName = memberName
SMF 2.0:UPDATE smf_members SET real_name = member_name
Alternatively you may try these queries, which should only change the names of users who abused the exploit:
SMF 1.1:UPDATE smf_members SET realName = memberName WHERE real_name LIKE "%<SCRIPT%"
SMF 2.0:UPDATE smf_members SET real_name = member_name WHERE real_name LIKE "%<SCRIPT%"
Sorry about this guys! When I get some free time, I (as well as others) will be going over SMFShop's code, looking for any similar problems. Because this is a project I do in my free time, I don't get much time to dedicate to it.
Thanks,
- Daniel15