Does this avatar hack have the same vulnerability that the version for 6.1.x has? Here is what I'm talking about.
When you view your profile you can change your avatar to one of the defaults, so all you have to do is save the page to your computer and change to code to..:
and submit it!
This will give anybody one of the reserved custom avatars. Obviously it could be anything.
It might be possible to insert JS in there as well.
This is not a good thing, so how would you update the hack to make sure that the referrer is the UBB itself and not a remote machine?
Edit: If you can view the code as I posted it it uses & to replace certain characters.
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.