I think it just says you can download the db if you don't change the name, whereami.asp should be deleted, 422 in setup.asp 'strSender = Request.QueryString("MAIL")' should be sterilized, and don't use a previous version. Not sure how to code the fix to the XSS problem but probably use some for of ChkString.
Grr! Another jackass posting nonsense without researching the issue first:
- The readme already advises about changing the db name and not storing it in your forum's directory so that's a problem with the user, not the forums.
- The XSS problem they posted doesn't exist in login.asp but it is an issue in setup.asp
- The final "bug" they posted just proves that they know nothing about how Snitz works; the form in login.asp is processed by login.asp before the user is redirected to the target page meaning that the username & password is never passed to the target page.
Search is your friend “I was having a mildly paranoid day, mostly due to the fact that the mad priest lady from over the river had taken to nailing weasels to my front door again.”